Report Name: Linux Patch Wednesday November 2024Generated: 2024-11-20 23:59:08
Vulristics Vulnerability Scores
- All vulnerabilities: 803
- Urgent: 0
- Critical: 8
- High: 44
- Medium: 610
- Low: 141
Basic Vulnerability Scores
- All vulnerabilities: 803
- Critical: 18
- High: 214
- Medium: 399
- Low: 0
Products
Product Name | Prevalence | U | C | H | M | L | A | Comment |
Linux Kernel | 0.9 | | | 4 | 461 | 102 | 567 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
Polkit | 0.9 | | | 1 | | | 1 | polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes |
Windows Kernel | 0.9 | | | 1 | | | 1 | Windows Kernel |
APT | 0.8 | | | | | 1 | 1 | A free-software user interface that works with core libraries to handle the installation and removal of software on Debian |
Chromium | 0.8 | | 3 | 4 | 22 | | 29 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
GNOME desktop | 0.8 | | | 1 | 3 | | 4 | GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems |
Mozilla Firefox | 0.8 | | | 7 | 5 | | 12 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
Node.js | 0.8 | | | | 1 | | 1 | Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more |
PHP | 0.8 | | | 2 | 4 | | 6 | PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. |
RPC | 0.8 | | | | 1 | | 1 | Remote Procedure Call Runtime |
Safari | 0.8 | | | | 2 | | 2 | Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML. |
Windows Libarchive | 0.8 | | 1 | | | | 1 | Windows component |
X.org server | 0.8 | | | 1 | | | 1 | X.Org Server is the free and open-source implementation of the X Window System (X11) display server stewarded by the X.Org Foundation |
.NET and Visual Studio | 0.7 | | | 1 | 1 | | 2 | .NET and Visual Studio |
Apache Tomcat | 0.7 | | | | 1 | | 1 | Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies |
Apache Traffic Server | 0.7 | | | | 3 | | 3 | The Apache Traffic Server is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid |
Apple iOS | 0.7 | | | | 1 | | 1 | iOS is an operating system developed and marketed by Apple Inc |
Curl | 0.7 | | | 1 | | | 1 | Curl is a command-line tool for transferring data specified with URL syntax |
Oracle MySQL | 0.7 | | | | 16 | | 16 | MySQL is an open-source relational database management system |
QEMU | 0.7 | | | | 1 | | 1 | QEMU is a generic and open source machine & userspace emulator and virtualizer |
SQLite | 0.7 | | | 1 | 1 | | 2 | SQLite is a database engine written in the C programming language |
Eclipse Mosquitto | 0.6 | | | 2 | | | 2 | Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations from full power machines to embedded and low power machines |
Jetty | 0.6 | | | 1 | 3 | | 4 | Jetty is a Java based web server and servlet engine |
Laravel | 0.6 | | | | 1 | | 1 | Laravel is a web application framework |
Nextcloud | 0.6 | | | 2 | 1 | | 3 | Nextcloud server is a self hosted personal cloud system |
Perl | 0.6 | | | | 6 | | 6 | Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages |
PyTorch | 0.6 | | 1 | | | | 1 | PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing, originally developed by Meta AI and now part of the Linux Foundation umbrella |
Python | 0.6 | | | | 5 | | 5 | Python is a high-level, general-purpose programming language |
Vault | 0.6 | | | | 3 | | 3 | Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing |
ARM processor | 0.5 | | | | | 1 | 1 | Processor |
CXF | 0.5 | | | | 1 | | 1 | Product detected by a:apache:cxf (exists in CPE dict) |
Consul | 0.5 | | | | 3 | | 3 | Product detected by a:hashicorp:consul (exists in CPE dict) |
DOMPurify | 0.5 | | | | 1 | | 1 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG |
Flask | 0.5 | | | | 1 | | 1 | Flask is a lightweight WSGI web application framework |
HID | 0.5 | | | | | 1 | 1 | HID |
NVIDIA GPU Display Driver | 0.5 | | | | 1 | | 1 | A NVIDIA driver is a software program that enables communication between your computer and the NVIDIA graphics processor installed in your system |
OpenJS Express | 0.5 | | | 1 | | | 1 | Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications |
Qbittorrent | 0.5 | | | 1 | | | 1 | Product detected by a:qbittorrent:qbittorrent (exists in CPE dict) |
Rexml | 0.5 | | | | 1 | | 1 | Product detected by a:ruby-lang:rexml (exists in CPE dict) |
Spring Framework | 0.5 | | | 1 | | | 1 | Product detected by a:vmware:spring_framework (exists in CPE dict) |
Squid | 0.5 | | 1 | | | | 1 | Product detected by a:squid-cache:squid (exists in CPE dict) |
Starlette | 0.5 | | | 1 | | | 1 | Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit |
Suricata | 0.5 | | | | 5 | | 5 | Product detected by a:oisf:suricata (exists in CPE dict) |
TLS | 0.5 | | | | 1 | | 1 | TLS |
TRIE | 0.5 | | | | 1 | 1 | 2 | TRIE |
Thunderbird | 0.5 | | | | | 1 | 1 | Product detected by a:mozilla:thunderbird (exists in CPE dict) |
Twig | 0.5 | | | | 2 | | 2 | Twig is a template language for PHP |
Waitress | 0.5 | | | | 2 | | 2 | Product detected by a:agendaless:waitress (exists in CPE dict) |
assimp | 0.5 | | | 1 | | | 1 | Product detected by a:assimp:assimp (exists in CPE dict) |
butterfly | 0.5 | | 1 | | | | 1 | Product detected by a:openrefine:butterfly (does NOT exist in CPE dict) |
cli | 0.5 | | | | 1 | | 1 | Product detected by a:github:cli (does NOT exist in CPE dict) |
icinga | 0.5 | | | 1 | | | 1 | Product detected by a:icinga:icinga (exists in CPE dict) |
libsndfile | 0.5 | | | 2 | | | 2 | Product detected by a:libsndfile_project:libsndfile (exists in CPE dict) |
linux-pam | 0.5 | | | | | 1 | 1 | Product detected by a:linux-pam:linux-pam (exists in CPE dict) |
mutt | 0.5 | | | | 2 | | 2 | Product detected by a:mutt:mutt (exists in CPE dict) |
nimbus_jose\\+jwt | 0.5 | | | | 1 | | 1 | Product detected by a:connect2id:nimbus_jose\\+jwt (does NOT exist in CPE dict) |
nomacs | 0.5 | | | 1 | | | 1 | Product detected by a:nomacs:nomacs (exists in CPE dict) |
openrefine | 0.5 | | 1 | 3 | 1 | | 5 | Product detected by a:openrefine:openrefine (exists in CPE dict) |
pure-ftpd | 0.5 | | | 1 | | | 1 | Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server |
sentry_software_development_kit | 0.5 | | | | 1 | | 1 | Product detected by a:sentry:sentry_software_development_kit (exists in CPE dict) |
vim | 0.5 | | | | 1 | | 1 | Product detected by a:vim:vim (exists in CPE dict) |
weechat | 0.5 | | | | 1 | | 1 | Product detected by a:weechat:weechat (exists in CPE dict) |
wordpress | 0.5 | | | | 1 | | 1 | Product detected by a:wordpress:wordpress (exists in CPE dict) |
GPAC | 0.4 | | | 1 | | | 1 | GPAC is an Open Source multimedia framework for research and academic purposes; the project covers different aspects of multimedia, with a focus on presentation technologies (graphics, animation and interactivity) |
Git | 0.4 | | | | 1 | | 1 | Git |
gomarkdown/markdown | 0.4 | | | 1 | | | 1 | A Go library for parsing Markdown text and rendering as HTML |
Artifex Ghostscript | 0.3 | | | | 6 | | 6 | Artifex Ghostscript is an interpreter for the PostScript® language and PDF files |
Unknown Product | 0 | | | | 33 | 33 | 66 | Unknown Product |
Vulnerability Types
Vulnerability Type | Criticality | U | C | H | M | L | A |
Remote Code Execution | 1.0 | | 3 | 11 | 12 | 1 | 27 |
Authentication Bypass | 0.98 | | | 4 | 4 | | 8 |
Code Injection | 0.97 | | 1 | 1 | 1 | | 3 |
Command Injection | 0.97 | | | 2 | 4 | | 6 |
XXE Injection | 0.97 | | | 1 | | | 1 |
Security Feature Bypass | 0.9 | | 2 | 9 | 32 | | 43 |
Elevation of Privilege | 0.85 | | | 1 | 4 | | 5 |
Information Disclosure | 0.83 | | | 1 | 10 | 2 | 13 |
Cross Site Scripting | 0.8 | | | 2 | 7 | | 9 |
Open Redirect | 0.75 | | | 1 | 2 | | 3 |
Denial of Service | 0.7 | | | 6 | 42 | 4 | 52 |
Path Traversal | 0.7 | | | | 6 | | 6 |
Incorrect Calculation | 0.5 | | | | 25 | 1 | 26 |
Memory Corruption | 0.5 | | 2 | 5 | 296 | 3 | 306 |
Unknown Vulnerability Type | 0 | | | | 165 | 130 | 295 |
Comments
Source | U | C | H | M | L | A |
almalinux | | 1 | 10 | 10 | 1 | 22 |
debian | | 8 | 38 | 538 | 104 | 688 |
oraclelinux | | 1 | 11 | 21 | 14 | 47 |
redhat | | | 9 | 8 | 1 | 18 |
redos | | | 7 | 30 | 10 | 47 |
ubuntu | | 1 | 11 | 64 | 19 | 95 |
Vulnerabilities
Urgent (0)
Critical (8)
1. Security Feature Bypass - Chromium (CVE-2024-10229) - Critical [740]
Description: Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on BDU website |
Exploit Exists | 0.5 | 17 | The existence of a private exploit is mentioned on BDU:PrivateExploit website |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.2766 |
debian: CVE-2024-10229 was patched at 2024-10-28, 2024-11-19
2. Memory Corruption - Chromium (CVE-2024-10230) - Critical [680]
Description: Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on BDU website |
Exploit Exists | 0.5 | 17 | The existence of a private exploit is mentioned on BDU:PrivateExploit website |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.2766 |
debian: CVE-2024-10230 was patched at 2024-10-28, 2024-11-19
3. Memory Corruption - Chromium (CVE-2024-10231) - Critical [680]
Description: Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 1.0 | 18 | Exploitation in the wild is mentioned on BDU website |
Exploit Exists | 0.5 | 17 | The existence of a private exploit is mentioned on BDU:PrivateExploit website |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.2766 |
debian: CVE-2024-10231 was patched at 2024-10-28, 2024-11-19
4. Remote Code Execution - Windows Libarchive (CVE-2024-20696) - Critical [645]
Description: Windows Libarchive Remote Code Execution Vulnerability
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:CLEARBLUEJAR:CVE-2024-20696 website |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.8 | 14 | Windows component |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.3. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00087, EPSS Percentile is 0.38136 |
debian: CVE-2024-20696 was patched at 2024-11-09, 2024-11-19
ubuntu: CVE-2024-20696 was patched at 2024-10-31
5. Remote Code Execution - PyTorch (CVE-2024-48063) - Critical [623]
Description: In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:ZGIMSZHD61:CVE-2024-48063-POC website |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.6 | 14 | PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing, originally developed by Meta AI and now part of the Linux Foundation umbrella |
CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-48063 was patched at 2024-11-19
6. Remote Code Execution - butterfly (CVE-2024-47883) - Critical [619]
Description: The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote machine if indicated, and uses it as if it was a trusted part of the app's codebase. This leads to multiple weaknesses and potential weaknesses. An attacker that has network access to the application could use it to gain access to files, either on the the server's filesystem (path traversal) or shared by nearby machines (server-side request forgery with e.g. SMB). An attacker that can lead or redirect a user to a crafted URL belonging to the app could cause arbitrary attacker-controlled JavaScript to be loaded in the victim's browser (cross-site scripting). If an app is written in such a way that an attacker can influence the resource name used for a template, that attacker could cause the app to fetch and execute an attacker-controlled template (remote code execution). Version 1.2.6 contains a patch.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:openrefine:butterfly (does NOT exist in CPE dict) |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 9.1. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00088, EPSS Percentile is 0.39054 |
debian: CVE-2024-47883 was patched at 2024-11-19
7. Code Injection - openrefine (CVE-2024-47881) - Critical [601]
Description: OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.97 | 15 | Code Injection |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:openrefine:openrefine (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00087, EPSS Percentile is 0.38606 |
debian: CVE-2024-47881 was patched at 2024-11-19
8. Security Feature Bypass - Squid (CVE-2024-45802) - Critical [601]
Description: Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on BDU:PublicExploit website |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:squid-cache:squid (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.5 | 10 | EPSS Probability is 0.00117, EPSS Percentile is 0.47015 |
almalinux: CVE-2024-45802 was patched at 2024-11-14
debian: CVE-2024-45802 was patched at 2024-11-19
oraclelinux: CVE-2024-45802 was patched at 2024-11-15, 2024-11-18
High (44)
9. Security Feature Bypass - openrefine (CVE-2024-47880) - High [589]
Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:openrefine:openrefine (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00084, EPSS Percentile is 0.37134 |
debian: CVE-2024-47880 was patched at 2024-11-19
10. Security Feature Bypass - Qbittorrent (CVE-2024-51774) - High [577]
Description: qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:sharpsec.run, BDU:PublicExploit websites |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:qbittorrent:qbittorrent (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.2887 |
debian: CVE-2024-51774 was patched at 2024-11-19
redos: CVE-2024-51774 was patched at 2024-11-13
11. Security Feature Bypass - icinga (CVE-2024-24820) - High [577]
Description: Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:icinga:icinga (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.3. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.0006, EPSS Percentile is 0.2726 |
debian: CVE-2024-24820 was patched at 2024-11-19
12. Security Feature Bypass - Curl (CVE-2024-9681) - High [575]
Description: When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on BDU:PublicExploit website |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | Curl is a command-line tool for transferring data specified with URL syntax |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.9. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-9681 was patched at 2024-11-19
ubuntu: CVE-2024-9681 was patched at 2024-11-18
13. Remote Code Execution - assimp (CVE-2024-48423) - High [571]
Description: An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:assimp:assimp (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-48423 was patched at 2024-11-19
14. Command Injection - Jetty (CVE-2024-6763) - High [570]
Description: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.97 | 15 | Command Injection |
Vulnerable Product is Common | 0.6 | 14 | Jetty is a Java based web server and servlet engine |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 3.7. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00087, EPSS Percentile is 0.38513 |
debian: CVE-2024-6763 was patched at 2024-11-19
15. Cross Site Scripting - openrefine (CVE-2024-47878) - High [547]
Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:openrefine:openrefine (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-47878 was patched at 2024-11-19
16. Memory Corruption - Linux Kernel (CVE-2024-39486) - High [536]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/drm_file: Fix pid refcounting race <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de> filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the following race possible: process A process B ========= ========= begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid B>, 1) mutex_unlock(&dev->filelist_mutex) begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid A>, 1) mutex_unlock(&dev->filelist_mutex) get_pid(<pid A>) synchronize_rcu() put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here *** get_pid(<pid B>) *** UAF *** synchronize_rcu() put_pid(<pid A>) As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y because it requires RCU to detect a quiescent state in code that is not explicitly calling into the scheduler. This race leads to use-after-free of a "struct pid". It is probably somewhat hard to hit because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid(). Fix it by ensuring that by the time a pointer to the current task's pid is stored in the file, an extra reference to the pid has been taken. This fix also removes the condition for synchronize_rcu(); I think that optimization is unnecessary complexity, since in that case we would usually have bailed out on the lockless check above.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:1337DAY-ID-39698, Vulners:PublicExploit:PACKETSTORM:179909 websites |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
oraclelinux: CVE-2024-39486 was patched at 2024-11-14
ubuntu: CVE-2024-39486 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
17. Open Redirect - Nextcloud (CVE-2023-35171) - High [531]
Description: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2 contain a patch for this issue. No known workarounds are available.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:hackerone.com, BDU:PublicExploit websites |
Criticality of Vulnerability Type | 0.75 | 15 | Open Redirect |
Vulnerable Product is Common | 0.6 | 14 | Nextcloud server is a self hosted personal cloud system |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.1. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00105, EPSS Percentile is 0.44252 |
redos: CVE-2023-35171 was patched at 2024-11-13
18. XXE Injection - OpenJS Express (CVE-2024-10491) - High [530]
Description: A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:www.herodevs.com website |
Criticality of Vulnerability Type | 0.97 | 15 | XXE Injection |
Vulnerable Product is Common | 0.5 | 14 | Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.0. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-10491 was patched at 2024-11-19
19. Denial of Service - nomacs (CVE-2020-23884) - High [529]
Description: A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial of service (DoS) via a crafted MNG file.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:nomacs:nomacs (exists in CPE dict) |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.0009, EPSS Percentile is 0.39693 |
debian: CVE-2020-23884 was patched at 2024-11-19
20. Cross Site Scripting - openrefine (CVE-2024-47882) - High [523]
Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:openrefine:openrefine (exists in CPE dict) |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.9. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00052, EPSS Percentile is 0.2195 |
debian: CVE-2024-47882 was patched at 2024-11-19
21. Memory Corruption - Eclipse Mosquitto (CVE-2024-10525) - High [522]
Description: In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on BDU:PublicExploit website |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.6 | 14 | Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations from full power machines to embedded and low power machines |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 9.1. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-10525 was patched at 2024-11-19
redos: CVE-2024-10525 was patched at 2024-11-13
22. Denial of Service - libsndfile (CVE-2024-50613) - High [517]
Description: libsndfile through 1.2.2 has a reachable assertion, that may lead to application exit, in mpeg_l3_encode.c mpeg_l3_encoder_close.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:libsndfile_project:libsndfile (exists in CPE dict) |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-50613 was patched at 2024-11-19
23. Memory Corruption - Eclipse Mosquitto (CVE-2024-3935) - High [510]
Description: In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on BDU:PublicExploit website |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.6 | 14 | Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations from full power machines to embedded and low power machines |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-3935 was patched at 2024-11-19
redos: CVE-2024-3935 was patched at 2024-11-13
24. Elevation of Privilege - X.org server (CVE-2024-9632) - High [505]
Description: A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0.5 | 17 | The existence of a private exploit is mentioned on BDU:PrivateExploit website |
Criticality of Vulnerability Type | 0.85 | 15 | Elevation of Privilege |
Vulnerable Product is Common | 0.8 | 14 | X.Org Server is the free and open-source implementation of the X Window System (X11) display server stewarded by the X.Org Foundation |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17412 |
almalinux: CVE-2024-9632 was patched at 2024-11-04, 2024-11-13
debian: CVE-2024-9632 was patched at 2024-10-29, 2024-11-19
oraclelinux: CVE-2024-9632 was patched at 2024-11-04, 2024-11-13
redhat: CVE-2024-9632 was patched at 2024-11-04, 2024-11-13
redos: CVE-2024-9632 was patched at 2024-11-13
ubuntu: CVE-2024-9632 was patched at 2024-10-30
25. Security Feature Bypass - Spring Framework (CVE-2024-38820) - High [505]
Description: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:MARCINGADZ:SPRING-RCE-POC website |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:vmware:spring_framework (exists in CPE dict) |
CVSS Base Score | 0.3 | 10 | CVSS Base Score is 3.1. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00054, EPSS Percentile is 0.23349 |
debian: CVE-2024-38820 was patched at 2024-11-19
26. Memory Corruption - pure-ftpd (CVE-2024-48208) - High [494]
Description: pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:ROHILCHAUDHRY:CVE-2024-48208 website |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.5 | 14 | Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.6. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-48208 was patched at 2024-11-19
27. Denial of Service - GPAC (CVE-2023-4679) - High [477]
Description: A use after free vulnerability exists in GPAC version 2.3-DEV-revrelease, specifically in the gf_filterpacket_del function in filter_core/filter.c at line 38. This vulnerability can lead to a double-free condition, which may cause the application to crash.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:huntr.com website |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.4 | 14 | GPAC is an Open Source multimedia framework for research and academic purposes; the project covers different aspects of multimedia, with a focus on presentation technologies (graphics, animation and interactivity) |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2023-4679 was patched at 2024-11-19
28. Remote Code Execution - .NET and Visual Studio (CVE-2024-43498) - High [473]
Description: .NET and Visual Studio Remote Code Execution Vulnerability
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.7 | 14 | .NET and Visual Studio |
CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
EPSS Percentile | 0.5 | 10 | EPSS Probability is 0.00143, EPSS Percentile is 0.51397 |
almalinux: CVE-2024-43498 was patched at 2024-11-13
oraclelinux: CVE-2024-43498 was patched at 2024-11-19
ubuntu: CVE-2024-43498 was patched at 2024-11-12
29. Remote Code Execution - Mozilla Firefox (CVE-2024-10467) - High [466]
Description: Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00068, EPSS Percentile is 0.31306 |
almalinux: CVE-2024-10467 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10467 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10467 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10467 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10467 was patched at 2024-10-31
30. Denial of Service - gomarkdown/markdown (CVE-2024-44337) - High [465]
Description: The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on Vulners:PublicExploit:GitHub:BRINMON:CVE-2024-44337 website |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.4 | 14 | A Go library for parsing Markdown text and rendering as HTML |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-44337 was patched at 2024-11-19
31. Remote Code Execution - Chromium (CVE-2024-9965) - High [454]
Description: Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.2766 |
debian: CVE-2024-9965 was patched at 2024-10-17, 2024-10-20
32. Authentication Bypass - Mozilla Firefox (CVE-2024-10462) - High [451]
Description: Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.98 | 15 | Authentication Bypass |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00078, EPSS Percentile is 0.35386 |
almalinux: CVE-2024-10462 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10462 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10462 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10462 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10462 was patched at 2024-10-31
33. Authentication Bypass - Mozilla Firefox (CVE-2024-10465) - High [451]
Description: A clipboard "paste" button could persist across tabs which allowed a spoofing attack. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.98 | 15 | Authentication Bypass |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00078, EPSS Percentile is 0.35386 |
almalinux: CVE-2024-10465 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10465 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10465 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10465 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10465 was patched at 2024-10-31
34. Memory Corruption - libsndfile (CVE-2024-50612) - High [446]
Description: libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:libsndfile_project:libsndfile (exists in CPE dict) |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.3. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50612 was patched at 2024-11-19
35. Remote Code Execution - Polkit (CVE-2024-9050) - High [435]
Description: A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.9 | 14 | polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14461 |
almalinux: CVE-2024-9050 was patched at 2024-10-23, 2024-11-13
oraclelinux: CVE-2024-9050 was patched at 2024-10-23, 2024-11-08, 2024-11-18
redhat: CVE-2024-9050 was patched at 2024-10-22, 2024-10-23
redos: CVE-2024-9050 was patched at 2024-10-29
36. Remote Code Execution - Chromium (CVE-2024-10487) - High [430]
Description: Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-10487 was patched at 2024-11-03, 2024-11-19
37. Authentication Bypass - Nextcloud (CVE-2023-35927) - High [429]
Description: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, when two server are registered as trusted servers for each other and successfully exchanged the share secrets, the malicious server could modify or delete VCards in the system addressbook on the origin server. This would impact the available and shown information in certain places, such as the user search and avatar menu. If a manipulated user modifies their own data in the personal settings the entry is fixed again. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. A workaround is available. Remove all trusted servers in the "Administration" > "Sharing" settings `…/index.php/settings/admin/sharing`. Afterwards, trigger a recreation of the local system addressbook with the following `occ dav:sync-system-addressbook`.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.98 | 15 | Authentication Bypass |
Vulnerable Product is Common | 0.6 | 14 | Nextcloud server is a self hosted personal cloud system |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.6. According to NVD data source |
EPSS Percentile | 0.5 | 10 | EPSS Probability is 0.00138, EPSS Percentile is 0.50696 |
redos: CVE-2023-35927 was patched at 2024-11-13
38. Code Injection - Mozilla Firefox (CVE-2024-10466) - High [425]
Description: By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.97 | 15 | Code Injection |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00056, EPSS Percentile is 0.24607 |
almalinux: CVE-2024-10466 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10466 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10466 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10466 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10466 was patched at 2024-10-31
39. Command Injection - GNOME desktop (CVE-2024-52530) - High [425]
Description: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.97 | 15 | Command Injection |
Vulnerable Product is Common | 0.8 | 14 | GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
almalinux: CVE-2024-52530 was patched at 2024-11-13
debian: CVE-2024-52530 was patched at 2024-11-19
oraclelinux: CVE-2024-52530 was patched at 2024-11-13, 2024-11-18
redhat: CVE-2024-52530 was patched at 2024-11-13
40. Remote Code Execution - Linux Kernel (CVE-2022-48967) - High [423]
Description: In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48967 was patched at 2024-11-19
41. Denial of Service - Starlette (CVE-2024-47874) - High [422]
Description: Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 1.0 | 17 | The existence of a publicly available exploit is mentioned on BDU:PublicExploit website |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit |
CVSS Base Score | 0.0 | 10 | CVSS Base Score is NA. No data. |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-47874 was patched at 2024-10-17
42. Authentication Bypass - PHP (CVE-2024-51996) - High [415]
Description: Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.98 | 15 | Authentication Bypass |
Vulnerable Product is Common | 0.8 | 14 | PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-51996 was patched at 2024-11-15, 2024-11-19
43. Remote Code Execution - SQLite (CVE-2024-51748) - High [414]
Description: Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. The user interface language is determined and loaded by the setting `application_language` in the `settings` table. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, has control over the filepath, which is loaded. Exploiting this vulnerability has one constraint: the attacker must be able to place a file (called translations.php) on the system. However, this is not impossible, think of anonymous FTP server or another application that allows uploading files. Once the attacker has placed its file with the actual php code as the payload, the attacker can craft a sqlite db settings, which uses path traversal to point to the directory, where the `translations.php` file is stored. Then gaining code execution after importing the crafted sqlite.db. This issue has been addressed in version 1.2.42 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.7 | 14 | SQLite is a database engine written in the C programming language |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 9.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.11846 |
debian: CVE-2024-51748 was patched at 2024-11-19
44. Security Feature Bypass - Chromium (CVE-2024-11115) - High [413]
Description: Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11115 was patched at 2024-11-19
45. Security Feature Bypass - Mozilla Firefox (CVE-2024-10458) - High [413]
Description: A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00065, EPSS Percentile is 0.30053 |
almalinux: CVE-2024-10458 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10458 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10458 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10458 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10458 was patched at 2024-10-31
46. Information Disclosure - Mozilla Firefox (CVE-2024-10463) - High [412]
Description: Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.83 | 15 | Information Disclosure |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00068, EPSS Percentile is 0.31384 |
almalinux: CVE-2024-10463 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10463 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10463 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10463 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10463 was patched at 2024-10-31
47. Remote Code Execution - Linux Kernel (CVE-2024-49878) - High [411]
Description: In the Linux kernel, the following vulnerability has been resolved: resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM".
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49878 was patched at 2024-11-19
48. Remote Code Execution - Linux Kernel (CVE-2024-49926) - High [411]
Description: In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is defined as NR_CPUS instead of the number of possible cpus, this will cause the following system panic: smpboot: Allowing 4 CPUs, 0 hotplug CPUs ... setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1 ... BUG: unable to handle page fault for address: ffffffff9911c8c8 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W 6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6 RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0 RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082 CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0 Call Trace: <TASK> ? __die+0x23/0x80 ? page_fault_oops+0xa4/0x180 ? exc_page_fault+0x152/0x180 ? asm_exc_page_fault+0x26/0x40 ? rcu_tasks_need_gpcb+0x25d/0x2c0 ? __pfx_rcu_tasks_kthread+0x40/0x40 rcu_tasks_one_gp+0x69/0x180 rcu_tasks_kthread+0x94/0xc0 kthread+0xe8/0x140 ? __pfx_kthread+0x40/0x40 ret_from_fork+0x34/0x80 ? __pfx_kthread+0x40/0x40 ret_from_fork_asm+0x1b/0x80 </TASK> Considering that there may be holes in the CPU numbers, use the maximum possible cpu number, instead of nr_cpu_ids, for configuring enqueue and dequeue limits. [ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49926 was patched at 2024-11-19
49. Remote Code Execution - PHP (CVE-2023-31493) - High [407]
Description: RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.8 | 14 | PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.6. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2023-31493 was patched at 2024-11-19
50. Security Feature Bypass - Windows Kernel (CVE-2024-24984) - High [405]
Description: Improper input validation for some Intel(R) Wireless Bluetooth(R) products for Windows before version 23.40 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.9 | 14 | Windows Kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-24984 was patched at 2024-11-19
51. Denial of Service - Mozilla Firefox (CVE-2024-10468) - High [401]
Description: Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132 and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00049, EPSS Percentile is 0.20256 |
ubuntu: CVE-2024-10468 was patched at 2024-10-31
52. Security Feature Bypass - Chromium (CVE-2024-9956) - High [401]
Description: {'nvd_cve_data_all': 'Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-9956 was patched at 2024-10-17, 2024-10-20
Medium (610)
53. Remote Code Execution - Perl (CVE-2024-10979) - Medium [397]
Description: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.6 | 14 | Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-10979 was patched at 2024-11-15, 2024-11-19
54. Remote Code Execution - Python (CVE-2024-48990) - Medium [397]
Description: Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.6 | 14 | Python is a high-level, general-purpose programming language |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-48990 was patched at 2024-11-19
ubuntu: CVE-2024-48990 was patched at 2024-11-19
55. Remote Code Execution - Python (CVE-2024-48991) - Medium [397]
Description: Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter).
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.6 | 14 | Python is a high-level, general-purpose programming language |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-48991 was patched at 2024-11-19
ubuntu: CVE-2024-48991 was patched at 2024-11-19
56. Authentication Bypass - Perl (CVE-2024-52867) - Medium [394]
Description: guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.98 | 15 | Authentication Bypass |
Vulnerable Product is Common | 0.6 | 14 | Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-52867 was patched at 2024-11-08, 2024-11-19
57. Security Feature Bypass - Linux Kernel (CVE-2024-49875) - Medium [394]
Description: In the Linux kernel, the following vulnerability has been resolved: nfsd: map the EBADMSG to nfserr_io to avoid warning Ext4 will throw -EBADMSG through ext4_readdir when a checksum error occurs, resulting in the following WARNING. Fix it by mapping EBADMSG to nfserr_io. nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no_space_for_csum return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 nfserrno // WARNING [ 161.115610] ------------[ cut here ]------------ [ 161.116465] nfsd: non-standard errno: -74 [ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0 [ 161.118596] Modules linked in: [ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138 [ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe mu.org 04/01/2014 [ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0 [ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33 [ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286 [ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a [ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827 [ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021 [ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8 [ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000 [ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0 [ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 161.141519] PKRU: 55555554 [ 161.142076] Call Trace: [ 161.142575] ? __warn+0x9b/0x140 [ 161.143229] ? nfserrno+0x9d/0xd0 [ 161.143872] ? report_bug+0x125/0x150 [ 161.144595] ? handle_bug+0x41/0x90 [ 161.145284] ? exc_invalid_op+0x14/0x70 [ 161.146009] ? asm_exc_invalid_op+0x12/0x20 [ 161.146816] ? nfserrno+0x9d/0xd0 [ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0 [ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0 [ 161.150093] ? wait_for_concurrent_writes+0x170/0x170 [ 161.151004] ? generic_file_llseek_size+0x48/0x160 [ 161.151895] nfsd_readdir+0x132/0x190 [ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.153516] ? nfsd_unlink+0x380/0x380 [ 161.154256] ? override_creds+0x45/0x60 [ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0 [ 161.155850] ? nfsd4_encode_readlink+0x210/0x210 [ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0 [ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0 [ 161.158494] ? lock_downgrade+0x90/0x90 [ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10 [ 161.160092] nfsd4_encode_operation+0x15a/0x440 [ 161.160959] nfsd4_proc_compound+0x718/0xe90 [ 161.161818] nfsd_dispatch+0x18e/0x2c0 [ 161.162586] svc_process_common+0x786/0xc50 [ 161.163403] ? nfsd_svc+0x380/0x380 [ 161.164137] ? svc_printk+0x160/0x160 [ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380 [ 161.165808] ? nfsd_svc+0x380/0x380 [ 161.166523] ? rcu_is_watching+0x23/0x40 [ 161.167309] svc_process+0x1a5/0x200 [ 161.168019] nfsd+0x1f5/0x380 [ 161.168663] ? nfsd_shutdown_threads+0x260/0x260 [ 161.169554] kthread+0x1c4/0x210 [ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80 [ 161.171246] ret_from_fork+0x1f/0x30
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.11609 |
debian: CVE-2024-49875 was patched at 2024-11-19
58. Information Disclosure - Linux Kernel (CVE-2024-47678) - Medium [393]
Description: In the Linux kernel, the following vulnerability has been resolved: icmp: change the order of rate limits ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.83 | 15 | Information Disclosure |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-47678 was patched at 2024-11-19
59. Remote Code Execution - Apple iOS (CVE-2024-10573) - Medium [390]
Description: An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.7 | 14 | iOS is an operating system developed and marketed by Apple Inc |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.7. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-10573 was patched at 2024-11-11, 2024-11-19
ubuntu: CVE-2024-10573 was patched at 2024-11-05
60. Denial of Service - Mozilla Firefox (CVE-2024-10459) - Medium [389]
Description: An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00088, EPSS Percentile is 0.38959 |
almalinux: CVE-2024-10459 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10459 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10459 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10459 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10459 was patched at 2024-10-31
61. Security Feature Bypass - Chromium (CVE-2024-11110) - Medium [389]
Description: Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11110 was patched at 2024-11-19
62. Security Feature Bypass - Apache Traffic Server (CVE-2024-38479) - Medium [384]
Description: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | The Apache Traffic Server is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-38479 was patched at 2024-11-19
63. Security Feature Bypass - Apache Traffic Server (CVE-2024-50305) - Medium [384]
Description: Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | The Apache Traffic Server is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50305 was patched at 2024-11-19
64. Authentication Bypass - Unknown Product (CVE-2024-8805) - Medium [383]
Description: {'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0.5 | 17 | The existence of a private exploit is mentioned on BDU:PrivateExploit website |
Criticality of Vulnerability Type | 0.98 | 15 | Authentication Bypass |
Vulnerable Product is Common | 0 | 14 | Unknown Product |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to BDU data source |
EPSS Percentile | 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
debian: CVE-2024-8805 was patched at 2024-11-19
65. Path Traversal - Linux Kernel (CVE-2024-47742) - Medium [382]
Description: In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Path Traversal |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47742 was patched at 2024-11-19
66. Command Injection - Perl (CVE-2024-11168) - Medium [380]
Description: The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.97 | 15 | Command Injection |
Vulnerable Product is Common | 0.6 | 14 | Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 6.3. According to Vulners data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00062, EPSS Percentile is 0.27805 |
debian: CVE-2024-11168 was patched at 2024-11-19
67. Denial of Service - GNOME desktop (CVE-2024-52532) - Medium [377]
Description: GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.8 | 14 | GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
almalinux: CVE-2024-52532 was patched at 2024-11-13
debian: CVE-2024-52532 was patched at 2024-11-19
oraclelinux: CVE-2024-52532 was patched at 2024-11-13, 2024-11-18
redhat: CVE-2024-52532 was patched at 2024-11-13
68. Denial of Service - Mozilla Firefox (CVE-2024-10464) - Medium [377]
Description: Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00056, EPSS Percentile is 0.24607 |
almalinux: CVE-2024-10464 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10464 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10464 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10464 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10464 was patched at 2024-10-31
69. Elevation of Privilege - sentry_software_development_kit (CVE-2023-28117) - Medium [377]
Description: Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.85 | 15 | Elevation of Privilege |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:sentry:sentry_software_development_kit (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.6. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.0009, EPSS Percentile is 0.39801 |
redos: CVE-2023-28117 was patched at 2024-10-22
70. Security Feature Bypass - Chromium (CVE-2024-9966) - Medium [377]
Description: Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-9966 was patched at 2024-10-17, 2024-10-20
71. Security Feature Bypass - Mozilla Firefox (CVE-2024-10460) - Medium [377]
Description: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.4. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00052, EPSS Percentile is 0.21733 |
almalinux: CVE-2024-10460 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10460 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10460 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10460 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10460 was patched at 2024-10-31
72. Security Feature Bypass - TLS (CVE-2024-49369) - Medium [375]
Description: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | TLS |
CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.11609 |
debian: CVE-2024-49369 was patched at 2024-11-19
73. Security Feature Bypass - mutt (CVE-2024-49393) - Medium [375]
Description: In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:mutt:mutt (exists in CPE dict) |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.4. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00087, EPSS Percentile is 0.38352 |
debian: CVE-2024-49393 was patched at 2024-11-19
74. Denial of Service - .NET and Visual Studio (CVE-2024-43499) - Medium [372]
Description: .NET and Visual Studio Denial of Service Vulnerability
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.7 | 14 | .NET and Visual Studio |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00063, EPSS Percentile is 0.28581 |
almalinux: CVE-2024-43499 was patched at 2024-11-13
oraclelinux: CVE-2024-43499 was patched at 2024-11-19
ubuntu: CVE-2024-43499 was patched at 2024-11-12
75. Security Feature Bypass - Oracle MySQL (CVE-2024-21196) - Medium [372]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: X Plugin). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: X Plugin). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21196 was patched at 2024-11-12
76. Cross Site Scripting - Mozilla Firefox (CVE-2024-10461) - Medium [371]
Description: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.8 | 14 | Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 6.1. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00053, EPSS Percentile is 0.22687 |
almalinux: CVE-2024-10461 was patched at 2024-10-31, 2024-11-04, 2024-11-13
debian: CVE-2024-10461 was patched at 2024-10-31, 2024-11-05, 2024-11-19
oraclelinux: CVE-2024-10461 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18
redhat: CVE-2024-10461 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13
ubuntu: CVE-2024-10461 was patched at 2024-10-31
77. Memory Corruption - Linux Kernel (CVE-2024-47692) - Medium [370]
Description: In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.4 | 10 | EPSS Probability is 0.00096, EPSS Percentile is 0.41538 |
debian: CVE-2024-47692 was patched at 2024-11-19
78. Remote Code Execution - NVIDIA GPU Display Driver (CVE-2024-0126) - Medium [369]
Description: NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.5 | 14 | A NVIDIA driver is a software program that enables communication between your computer and the NVIDIA graphics processor installed in your system |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.2. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-0126 was patched at 2024-11-19
79. Remote Code Execution - cli (CVE-2024-52308) - Medium [369]
Description: The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:github:cli (does NOT exist in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-52308 was patched at 2024-11-19
80. Path Traversal - Perl (CVE-2024-9676) - Medium [367]
Description: A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Path Traversal |
Vulnerable Product is Common | 0.6 | 14 | Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.5 | 10 | EPSS Probability is 0.00112, EPSS Percentile is 0.45795 |
almalinux: CVE-2024-9676 was patched at 2024-11-11
debian: CVE-2024-9676 was patched at 2024-10-17, 2024-11-19
oraclelinux: CVE-2024-9676 was patched at 2024-11-11
redhat: CVE-2024-9676 was patched at 2024-10-29, 2024-10-30, 2024-10-31, 2024-11-06, 2024-11-07, 2024-11-08, 2024-11-11, 2024-11-12, 2024-11-13
redos: CVE-2024-9676 was patched at 2024-10-29
81. Security Feature Bypass - Python (CVE-2024-47879) - Medium [367]
Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.6 | 14 | Python is a high-level, general-purpose programming language |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.6. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-47879 was patched at 2024-11-19
82. Memory Corruption - Chromium (CVE-2024-9954) - Medium [365]
Description: Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.2766 |
debian: CVE-2024-9954 was patched at 2024-10-17, 2024-10-20
83. Memory Corruption - GNOME desktop (CVE-2024-52533) - Medium [365]
Description: gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems |
CVSS Base Score | 1.0 | 10 | CVSS Base Score is 9.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-52533 was patched at 2024-11-19
ubuntu: CVE-2024-52533 was patched at 2024-11-18
84. Security Feature Bypass - Chromium (CVE-2024-9958) - Medium [365]
Description: {'nvd_cve_data_all': 'Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-9958 was patched at 2024-10-17, 2024-10-20
85. Security Feature Bypass - Chromium (CVE-2024-9963) - Medium [365]
Description: Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-9963 was patched at 2024-10-17, 2024-10-20
86. Security Feature Bypass - Node.js (CVE-2024-48948) - Medium [365]
Description: The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-48948 was patched at 2024-10-17
87. Security Feature Bypass - Suricata (CVE-2024-47187) - Medium [363]
Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance issues during traffic handling. This issue has been addressed in 7.0.7. As a workaround, avoid loading datasets from untrusted sources. Avoid dataset rules that track traffic in rules.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:oisf:suricata (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-47187 was patched at 2024-11-19
88. Security Feature Bypass - Suricata (CVE-2024-47188) - Medium [363]
Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:oisf:suricata (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-47188 was patched at 2024-11-19
89. Remote Code Execution - Perl (CVE-2024-11079) - Medium [361]
Description: A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.6 | 14 | Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
debian: CVE-2024-11079 was patched at 2024-11-19
90. Path Traversal - SQLite (CVE-2024-51747) - Medium [360]
Description: Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its `path` entry in the `project_has_files` SQLite db. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, can set arbitrary file links, by abusing path traversals. Once the modified db is uploaded and the project page is accessed, a file download can be triggered and all files, readable in the context of the Kanboard application permissions, can be downloaded. This issue has been addressed in version 1.2.42 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Path Traversal |
Vulnerable Product is Common | 0.7 | 14 | SQLite is a database engine written in the C programming language |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 9.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.11846 |
debian: CVE-2024-51747 was patched at 2024-11-19
91. Denial of Service - Linux Kernel (CVE-2024-42251) - Medium [358]
Description: In the Linux kernel, the following vulnerability has been resolved: mm: page_ref: remove folio_try_get_rcu() The below bug was reported on a non-SMP kernel: [ 275.267158][ T4335] ------------[ cut here ]------------ [ 275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275! [ 275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI [ 275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1 [ 275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202 [ 275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000 [ 275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034 [ 275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006 [ 275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136 [ 275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008 [ 275.276790][ T4335] FS: 00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000 [ 275.277570][ T4335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0 [ 275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 275.280201][ T4335] Call Trace: [ 275.280499][ T4335] <TASK> [ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) [ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153) [ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174) [ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212) [ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264) [ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568) [ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.285278][ T4335] try_grab_folio (mm/gup.c:148) [ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1)) [ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188) [ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825) [ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1)) [ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209) [ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204) [ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722) [ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106) [ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350) [ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350) [ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1)) [ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360 [ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10 [ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0 [ 275.293384][ T4335] ? hlock_class (a ---truncated---
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
ubuntu: CVE-2024-42251 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
92. Denial of Service - Linux Kernel (CVE-2024-49856) - Medium [358]
Description: In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Fix deadlock in SGX NUMA node search When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask. Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality. Rework the loop to start and end on *a* node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49856 was patched at 2024-11-19
93. Denial of Service - Linux Kernel (CVE-2024-49932) - Medium [358]
Description: In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d -m -s BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0 BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0 ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:115! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567 RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die_body.cold+0x14/0x25 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x65/0x80 ? __blk_rq_map_sg+0x339/0x4a0 ? exc_invalid_op+0x50/0x70 ? __blk_rq_map_sg+0x339/0x4a0 ? asm_exc_invalid_op+0x1a/0x20 ? __blk_rq_map_sg+0x339/0x4a0 nvme_prep_rq.part.0+0x9d/0x770 nvme_queue_rq+0x7d/0x1e0 __blk_mq_issue_directly+0x2a/0x90 ? blk_mq_get_budget_and_tag+0x61/0x90 blk_mq_try_issue_list_directly+0x56/0xf0 blk_mq_flush_plug_list.part.0+0x52b/0x5d0 __blk_flush_plug+0xc6/0x110 blk_finish_plug+0x28/0x40 read_pages+0x160/0x1c0 page_cache_ra_unbounded+0x109/0x180 relocate_file_extent_cluster+0x611/0x6a0 ? btrfs_search_slot+0xba4/0xd20 ? balance_dirty_pages_ratelimited_flags+0x26/0xb00 relocate_data_extent.constprop.0+0x134/0x160 relocate_block_group+0x3f2/0x500 btrfs_relocate_block_group+0x250/0x430 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x71b/0xef0 ? kmalloc_trace_noprof+0x13b/0x280 btrfs_ioctl+0x2c2e/0x3030 ? kvfree_call_rcu+0x1e6/0x340 ? list_lru_add_obj+0x66/0x80 ? mntput_no_expire+0x3a/0x220 __x64_sys_ioctl+0x96/0xc0 do_syscall_64+0x54/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fcc04514f9b Code: Unable to access opcode bytes at 0x7fcc04514f71. RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001 R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5 R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0 Kernel p ---truncated---
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-49932 was patched at 2024-11-19
94. Denial of Service - Linux Kernel (CVE-2024-49951) - Medium [358]
Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed If mgmt_index_removed is called while there are commands queued on cmd_sync it could lead to crashes like the bellow trace: 0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc 0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth] 0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth] 0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth] So while handling mgmt_index_removed this attempts to dequeue commands passed as user_data to cmd_sync.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49951 was patched at 2024-11-19
95. Denial of Service - Linux Kernel (CVE-2024-49974) - Medium [358]
Description: In the Linux kernel, the following vulnerability has been resolved: NFSD: Limit the number of concurrent async COPY operations Nothing appears to limit the number of concurrent async COPY operations that clients can start. In addition, AFAICT each async COPY can copy an unlimited number of 4MB chunks, so can run for a long time. Thus IMO async COPY can become a DoS vector. Add a restriction mechanism that bounds the number of concurrent background COPY operations. Start simple and try to be fair -- this patch implements a per-namespace limit. An async COPY request that occurs while this limit is exceeded gets NFS4ERR_DELAY. The requesting client can choose to send the request again after a delay or fall back to a traditional read/write style copy. If there is need to make the mechanism more sophisticated, we can visit that in future patches.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49974 was patched at 2024-11-19
96. Denial of Service - Linux Kernel (CVE-2024-50146) - Medium [358]
Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't call cleanup on profile rollback failure When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50146 was patched at 2024-11-19
97. Security Feature Bypass - Chromium (CVE-2024-11117) - Medium [353]
Description: Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11117 was patched at 2024-11-19
98. Security Feature Bypass - Oracle MySQL (CVE-2024-21193) - Medium [348]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21193 was patched at 2024-11-12
99. Security Feature Bypass - Oracle MySQL (CVE-2024-21194) - Medium [348]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21194 was patched at 2024-11-12
100. Security Feature Bypass - Oracle MySQL (CVE-2024-21197) - Medium [348]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21197 was patched at 2024-11-12
101. Security Feature Bypass - Oracle MySQL (CVE-2024-21198) - Medium [348]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21198 was patched at 2024-11-12
102. Security Feature Bypass - Oracle MySQL (CVE-2024-21199) - Medium [348]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21199 was patched at 2024-11-12
103. Security Feature Bypass - Oracle MySQL (CVE-2024-21201) - Medium [348]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21201 was patched at 2024-11-12
104. Remote Code Execution - Artifex Ghostscript (CVE-2024-46951) - Medium [347]
Description: An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.3 | 14 | Artifex Ghostscript is an interpreter for the PostScript® language and PDF files |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.0005, EPSS Percentile is 0.2115 |
debian: CVE-2024-46951 was patched at 2024-11-11, 2024-11-19
ubuntu: CVE-2024-46951 was patched at 2024-11-12
105. Remote Code Execution - Artifex Ghostscript (CVE-2024-46953) - Medium [347]
Description: An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.3 | 14 | Artifex Ghostscript is an interpreter for the PostScript® language and PDF files |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.0005, EPSS Percentile is 0.2115 |
debian: CVE-2024-46953 was patched at 2024-11-11, 2024-11-19
ubuntu: CVE-2024-46953 was patched at 2024-11-12
106. Remote Code Execution - Artifex Ghostscript (CVE-2024-46956) - Medium [347]
Description: An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 1.0 | 15 | Remote Code Execution |
Vulnerable Product is Common | 0.3 | 14 | Artifex Ghostscript is an interpreter for the PostScript® language and PDF files |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.0005, EPSS Percentile is 0.2115 |
debian: CVE-2024-46956 was patched at 2024-11-11, 2024-11-19
ubuntu: CVE-2024-46956 was patched at 2024-11-12
107. Incorrect Calculation - Linux Kernel (CVE-2022-49030) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: libbpf: Handle size overflow for ringbuf mmap The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries will overflow u32 when mapping producer page and data pages. Only casting max_entries to size_t is not enough, because for 32-bits application on 64-bits kernel the size of read-only mmap region also could overflow size_t. So fixing it by casting the size of read-only mmap region into a __u64 and checking whether or not there will be overflow during mmap.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49030 was patched at 2024-11-19
108. Incorrect Calculation - Linux Kernel (CVE-2024-47682) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47682 was patched at 2024-11-19
109. Memory Corruption - Linux Kernel (CVE-2022-48948) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Prevent buffer overflow in setup handler Setup function uvc_function_setup permits control transfer requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE), data stage handler for OUT transfer uses memcpy to copy req->actual bytes to uvc_event->data.data array of size 60. This may result in an overflow of 4 bytes.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48948 was patched at 2024-11-19
110. Memory Corruption - Linux Kernel (CVE-2022-48950) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: perf: Fix perf_pending_task() UaF Per syzbot it is possible for perf_pending_task() to run after the event is free()'d. There are two related but distinct cases: - the task_work was already queued before destroying the event; - destroying the event itself queues the task_work. The first cannot be solved using task_work_cancel() since perf_release() itself might be called from a task_work (____fput), which means the current->task_works list is already empty and task_work_cancel() won't be able to find the perf_pending_task() entry. The simplest alternative is extending the perf_event lifetime to cover the task_work. The second is just silly, queueing a task_work while you know the event is going away makes no sense and is easily avoided by re-arranging how the event is marked STATE_DEAD and ensuring it goes through STATE_OFF on the way down.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48950 was patched at 2024-11-19
111. Memory Corruption - Linux Kernel (CVE-2022-48951) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() The bounds checks in snd_soc_put_volsw_sx() are only being applied to the first channel, meaning it is possible to write out of bounds values to the second channel in stereo controls. Add appropriate checks.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48951 was patched at 2024-11-19
112. Memory Corruption - Linux Kernel (CVE-2022-48954) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix use-after-free in hsci KASAN found that addr was dereferenced after br2dev_event_work was freed. ================================================================== BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000_event qeth_l2_br2dev_worker Call Trace: [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 [<000000016942d118>] print_report+0x110/0x1f8 [<0000000167a7bd04>] kasan_report+0xfc/0x128 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 [<00000001673edd1e>] process_one_work+0x76e/0x1128 [<00000001673ee85c>] worker_thread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 [<00000001694711da>] ret_from_fork+0xa/0x40 Allocated by task 108338: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 __kasan_kmalloc+0xa0/0xc0 qeth_l2_switchdev_event+0x25a/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Freed by task 540: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 kasan_save_free_info+0x4c/0x68 ____kasan_slab_free+0x14e/0x1a8 __kasan_slab_free+0x24/0x30 __kmem_cache_free+0x168/0x338 qeth_l2_br2dev_worker+0x154/0x6b0 process_one_work+0x76e/0x1128 worker_thread+0x184/0x1098 kthread+0x26a/0x310 __ret_from_fork+0x8a/0xe8 ret_from_fork+0xa/0x40 Last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 insert_work+0x56/0x2e8 __queue_work+0x4ce/0xd10 queue_work_on+0xf4/0x100 qeth_l2_switchdev_event+0x520/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Second to last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 kvfree_call_rcu+0xb2/0x760 kernfs_unlink_open_file+0x348/0x430 kernfs_fop_release+0xc2/0x320 __fput+0x1ae/0x768 task_work_run+0x1bc/0x298 exit_to_user_mode_prepare+0x1a0/0x1a8 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated---
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48954 was patched at 2024-11-19
113. Memory Corruption - Linux Kernel (CVE-2022-48956) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 ip6_dst_idev include/net/ip6_fib.h:245 [inline] ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 dst_output include/net/dst.h:445 [inline] ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sock_write_iter+0x295/0x3d0 net/socket.c:1108 call_write_iter include/linux/fs.h:2191 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9ed/0xdd0 fs/read_write.c:584 ksys_write+0x1ec/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK> Allocated by task 7618: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 dst_alloc+0x14a/0x1f0 net/core/dst.c:92 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec n ---truncated---
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48956 was patched at 2024-11-19
114. Memory Corruption - Linux Kernel (CVE-2022-48960) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48960 was patched at 2024-11-19
115. Memory Corruption - Linux Kernel (CVE-2022-48962) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48962 was patched at 2024-11-19
116. Memory Corruption - Linux Kernel (CVE-2022-48964) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ravb: Fix potential use-after-free in ravb_rx_gbeth() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2022-48964 was patched at 2024-11-19
117. Memory Corruption - Linux Kernel (CVE-2022-48980) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" index will be equal to 45, which is also equal to table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes through the check. But at the same time, SJA1105 doesn't have multicast policers. So the code programs the SHARINDX field of an out-of-bounds element in the L2 Policing table of the static config. The comparison between index 45 and 45 entries should have determined the code to not access this policer index on SJA1105, since its memory wasn't even allocated. With enough bad luck, the out-of-bounds write could even overwrite other valid kernel data, but in this case, the issue was detected using KASAN. Kernel log: sja1105 spi5.0: Probed switch chip: SJA1105Q ================================================================== BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 ... Workqueue: events_unbound deferred_probe_work_func Call trace: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Allocated by task 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48980 was patched at 2024-11-19
118. Memory Corruption - Linux Kernel (CVE-2022-48981) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48981 was patched at 2024-11-19
119. Memory Corruption - Linux Kernel (CVE-2022-48990) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free during gpu recovery [Why] [ 754.862560] refcount_t: underflow; use-after-free. [ 754.862898] Call Trace: [ 754.862903] <TASK> [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu] [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched] [How] The fw_fence may be not init, check whether dma_fence_init is performed before job free
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2022-48990 was patched at 2024-11-19
120. Memory Corruption - Linux Kernel (CVE-2022-48991) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free. I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48991 was patched at 2024-11-19
121. Memory Corruption - Linux Kernel (CVE-2022-48998) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: powerpc/bpf/32: Fix Oops on tail call tests test_bpf tail call tests end up as: test_bpf: #0 Tail call leaf jited:1 85 PASS test_bpf: #1 Tail call 2 jited:1 111 PASS test_bpf: #2 Tail call 3 jited:1 145 PASS test_bpf: #3 Tail call 4 jited:1 170 PASS test_bpf: #4 Tail call load/store leaf jited:1 190 PASS test_bpf: #5 Tail call load/store jited:1 BUG: Unable to handle kernel data access on write at 0xf1b4e000 Faulting instruction address: 0xbe86b710 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K MMU=Hash PowerMac Modules linked in: test_bpf(+) CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195 Hardware name: PowerMac3,1 750CL 0x87210 PowerMac NIP: be86b710 LR: be857e88 CTR: be86b704 REGS: f1b4df20 TRAP: 0300 Not tainted (6.1.0-rc4+) MSR: 00009032 <EE,ME,IR,DR,RI> CR: 28008242 XER: 00000000 DAR: f1b4e000 DSISR: 42000000 GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000 GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8 GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000 GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00 NIP [be86b710] 0xbe86b710 LR [be857e88] __run_one+0xec/0x264 [test_bpf] Call Trace: [f1b4dfe0] [00000002] 0x2 (unreliable) Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 0000000000000000 ]--- This is a tentative to write above the stack. The problem is encoutered with tests added by commit 38608ee7b690 ("bpf, tests: Add load store test case for tail call") This happens because tail call is done to a BPF prog with a different stack_depth. At the time being, the stack is kept as is when the caller tail calls its callee. But at exit, the callee restores the stack based on its own properties. Therefore here, at each run, r1 is erroneously increased by 32 - 16 = 16 bytes. This was done that way in order to pass the tail call count from caller to callee through the stack. As powerpc32 doesn't have a red zone in the stack, it was necessary the maintain the stack as is for the tail call. But it was not anticipated that the BPF frame size could be different. Let's take a new approach. Use register r4 to carry the tail call count during the tail call, and save it into the stack at function entry if required. This means the input parameter must be in r3, which is more correct as it is a 32 bits parameter, then tail call better match with normal BPF function entry, the down side being that we move that input parameter back and forth between r3 and r4. That can be optimised later. Doing that also has the advantage of maximising the common parts between tail calls and a normal function exit. With the fix, tail call tests are now successfull: test_bpf: #0 Tail call leaf jited:1 53 PASS test_bpf: #1 Tail call 2 jited:1 115 PASS test_bpf: #2 Tail call 3 jited:1 154 PASS test_bpf: #3 Tail call 4 jited:1 165 PASS test_bpf: #4 Tail call load/store leaf jited:1 101 PASS test_bpf: #5 Tail call load/store jited:1 141 PASS test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2022-48998 was patched at 2024-11-19
122. Memory Corruption - Linux Kernel (CVE-2022-49006) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="��������������������������������������� ---truncated---
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49006 was patched at 2024-11-19
123. Memory Corruption - Linux Kernel (CVE-2022-49014) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49014 was patched at 2024-11-19
124. Memory Corruption - Linux Kernel (CVE-2022-49015) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: hsr: Fix potential use-after-free The skb is delivered to netif_rx() which may free it, after calling this, dereferencing skb may trigger use-after-free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49015 was patched at 2024-11-19
125. Memory Corruption - Linux Kernel (CVE-2022-49017) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: tipc: re-fetch skb cb after tipc_msg_validate As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49017 was patched at 2024-11-19
126. Memory Corruption - Linux Kernel (CVE-2022-49023) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49023 was patched at 2024-11-19
127. Memory Corruption - Linux Kernel (CVE-2022-49025) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free when reverting termination table When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49025 was patched at 2024-11-19
128. Memory Corruption - Linux Kernel (CVE-2022-49026) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49026 was patched at 2024-11-19
129. Memory Corruption - Linux Kernel (CVE-2022-49029) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49029 was patched at 2024-11-19
130. Memory Corruption - Linux Kernel (CVE-2023-52769) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix htt mlo-offset event locking The ath12k active pdevs are protected by RCU but the htt mlo-offset event handling code calling ath12k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
redos: CVE-2023-52769 was patched at 2024-11-19
131. Memory Corruption - Linux Kernel (CVE-2024-42108) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: rswitch: Avoid use-after-free in rswitch_poll() The use-after-free is actually in rswitch_tx_free(), which is inlined in rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the same pointer, the skb is first freed using dev_kfree_skb_any(), then the value in skb->len is used to update the interface statistics. Let's move around the instructions to use skb->len before the skb is freed. This bug is trivial to reproduce using KFENCE. It will trigger a splat every few packets. A simple ARP request or ICMP echo request is enough.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
ubuntu: CVE-2024-42108 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
132. Memory Corruption - Linux Kernel (CVE-2024-43888) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: mm: list_lru: fix UAF for memory cgroup The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or cgroup_mutex or others which could prevent returned memcg from being freed. Fix it by adding missing rcu read lock. Found by code inspection. [songmuchun@bytedance.com: only grab rcu lock when necessary, per Vlastimil] Link: https://lkml.kernel.org/r/20240801024603.1865-1-songmuchun@bytedance.com
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
oraclelinux: CVE-2024-43888 was patched at 2024-11-14
133. Memory Corruption - Linux Kernel (CVE-2024-47691) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47691 was patched at 2024-11-19
134. Memory Corruption - Linux Kernel (CVE-2024-47695) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds In the function init_conns(), after the create_con() and create_cm() for loop if something fails. In the cleanup for loop after the destroy tag, we access out of bound memory because cid is set to clt_path->s.con_num. This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds in the cleanup loop later.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47695 was patched at 2024-11-19
135. Memory Corruption - Linux Kernel (CVE-2024-47696) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function flush_workqueue is invoked to flush the work queue iwcm_wq. But at that time, the work queue iwcm_wq was created via the function alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM. Because the current process is trying to flush the whole iwcm_wq, if iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current process is not reclaiming memory or running on a workqueue which doesn't have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to a deadlock. The call trace is as below: [ 125.350876][ T1430] Call Trace: [ 125.356281][ T1430] <TASK> [ 125.361285][ T1430] ? __warn (kernel/panic.c:693) [ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) [ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) [ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) [ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm [ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) [ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm [ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma [ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma [ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) [ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) [ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) [ 125.531837][ T1430] kthread (kernel/kthread.c:389) [ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) [ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 125.566487][ T1430] </TASK> [ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47696 was patched at 2024-11-19
136. Memory Corruption - Linux Kernel (CVE-2024-47697) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47697 was patched at 2024-11-19
137. Memory Corruption - Linux Kernel (CVE-2024-47698) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47698 was patched at 2024-11-19
138. Memory Corruption - Linux Kernel (CVE-2024-47701) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47701 was patched at 2024-11-19
139. Memory Corruption - Linux Kernel (CVE-2024-47718) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: always wait for both firmware loading attempts In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47718 was patched at 2024-11-19
140. Memory Corruption - Linux Kernel (CVE-2024-47730) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - inject error before stopping queue The master ooo cannot be completely closed when the accelerator core reports memory error. Therefore, the driver needs to inject the qm error to close the master ooo. Currently, the qm error is injected after stopping queue, memory may be released immediately after stopping queue, causing the device to access the released memory. Therefore, error is injected to close master ooo before stopping queue to ensure that the device does not access the released memory.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47730 was patched at 2024-11-19
141. Memory Corruption - Linux Kernel (CVE-2024-47748) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47748 was patched at 2024-11-19
142. Memory Corruption - Linux Kernel (CVE-2024-47750) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 Currently rsv_qp is freed before ib_unregister_device() is called on HIP08. During the time interval, users can still dereg MR and rsv_qp will be used in this process, leading to a UAF. Move the release of rsv_qp after calling ib_unregister_device() to fix it.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47750 was patched at 2024-11-19
143. Memory Corruption - Linux Kernel (CVE-2024-47751) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() Within kirin_pcie_parse_port(), the pcie->num_slots is compared to pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead to an overflow. Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move pcie->num_slots increment below the if-statement to avoid out-of-bounds array access. Found by Linux Verification Center (linuxtesting.org) with SVACE. [kwilczynski: commit log]
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47751 was patched at 2024-11-19
144. Memory Corruption - Linux Kernel (CVE-2024-49852) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() The kref_put() function will call nport->release if the refcount drops to zero. The nport->release release function is _efc_nport_free() which frees "nport". But then we dereference "nport" on the next line which is a use after free. Re-order these lines to avoid the use after free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49852 was patched at 2024-11-19
145. Memory Corruption - Linux Kernel (CVE-2024-49853) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in OPTEE transport Channels can be shared between protocols, avoid freeing the same channel descriptors twice when unloading the stack.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49853 was patched at 2024-11-19
146. Memory Corruption - Linux Kernel (CVE-2024-49854) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing waker_bfqq after splitting After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe. Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49854 was patched at 2024-11-19
147. Memory Corruption - Linux Kernel (CVE-2024-49882) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: fix double brelse() the buffer of the extents path In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been released, otherwise it may be released twice. An example of what triggers this is as follows: split2 map split1 |--------|-------|--------| ext4_ext_map_blocks ext4_ext_handle_unwritten_extents ext4_split_convert_extents // path->p_depth == 0 ext4_split_extent // 1. do split1 ext4_split_extent_at |ext4_ext_insert_extent | ext4_ext_create_new_leaf | ext4_ext_grow_indepth | le16_add_cpu(&neh->eh_depth, 1) | ext4_find_extent | // return -ENOMEM |// get error and try zeroout |path = ext4_find_extent | path->p_depth = 1 |ext4_ext_try_to_merge | ext4_ext_try_to_merge_up | path->p_depth = 0 | brelse(path[1].p_bh) ---> not set to NULL here |// zeroout success // 2. update path ext4_find_extent // 3. do split2 ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth le16_add_cpu(&neh->eh_depth, 1) ext4_find_extent path[0].p_bh = NULL; path->p_depth = 1 read_extent_tree_block ---> return err // path[1].p_bh is still the old value ext4_free_ext_path ext4_ext_drop_refs // path->p_depth == 1 brelse(path[1].p_bh) ---> brelse a buffer twice Finally got the following WARRNING when removing the buffer from lru: ============================================ VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90 CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716 RIP: 0010:__brelse+0x58/0x90 Call Trace: <TASK> __find_get_block+0x6e7/0x810 bdev_getblk+0x2b/0x480 __ext4_get_inode_loc+0x48a/0x1240 ext4_get_inode_loc+0xb2/0x150 ext4_reserve_inode_write+0xb7/0x230 __ext4_mark_inode_dirty+0x144/0x6a0 ext4_ext_insert_extent+0x9c8/0x3230 ext4_ext_map_blocks+0xf45/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ============================================
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49882 was patched at 2024-11-19
148. Memory Corruption - Linux Kernel (CVE-2024-49883) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path = *ppath = 2000 ext4_ext_create_new_leaf(ppath) ext4_find_extent(ppath) path = *ppath = 2000 if (depth > path[0].p_maxdepth) kfree(path = 2000); *ppath = path = NULL; path = kcalloc() = 3000 *ppath = 3000; return path; /* here path is still 2000, UAF! */ eh = path[depth].p_hdr ================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330 Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179 CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866 Call Trace: <TASK> ext4_ext_insert_extent+0x26d4/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 [...] Allocated by task 179: ext4_find_extent+0x81c/0x1f70 ext4_ext_map_blocks+0x146/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...] Freed by task 179: kfree+0xcb/0x240 ext4_find_extent+0x7c0/0x1f70 ext4_ext_insert_extent+0xa26/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...] ================================================================== So use *ppath to update the path to avoid the above problem.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49883 was patched at 2024-11-19
149. Memory Corruption - Linux Kernel (CVE-2024-49884) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49884 was patched at 2024-11-19
150. Memory Corruption - Linux Kernel (CVE-2024-49889) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: avoid use-after-free in ext4_ext_show_leaf() In ext4_find_extent(), path may be freed by error or be reallocated, so using a previously saved *ppath may have been freed and thus may trigger use-after-free, as follows: ext4_split_extent path = *ppath; ext4_split_extent_at(ppath) path = ext4_find_extent(ppath) ext4_split_extent_at(ppath) // ext4_find_extent fails to free path // but zeroout succeeds ext4_ext_show_leaf(inode, path) eh = path[depth].p_hdr // path use-after-free !!! Similar to ext4_split_extent_at(), we use *ppath directly as an input to ext4_ext_show_leaf(). Fix a spelling error by the way. Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly. This issue is triggered only when EXT_DEBUG is defined and therefore does not affect functionality.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49889 was patched at 2024-11-19
151. Memory Corruption - Linux Kernel (CVE-2024-49894) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in degamma hardware format translation Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49894 was patched at 2024-11-19
152. Memory Corruption - Linux Kernel (CVE-2024-49895) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49895 was patched at 2024-11-19
153. Memory Corruption - Linux Kernel (CVE-2024-49924) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49924 was patched at 2024-11-19
154. Memory Corruption - Linux Kernel (CVE-2024-49936) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49936 was patched at 2024-11-19
155. Memory Corruption - Linux Kernel (CVE-2024-49950) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2cap_connect [Syzbot reported] BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ... Freed by task 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49950 was patched at 2024-11-19
156. Memory Corruption - Linux Kernel (CVE-2024-49960) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called. Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49960 was patched at 2024-11-19
157. Memory Corruption - Linux Kernel (CVE-2024-49966) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49966 was patched at 2024-11-19
158. Memory Corruption - Linux Kernel (CVE-2024-49969) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 color transformation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49969 was patched at 2024-11-19
159. Memory Corruption - Linux Kernel (CVE-2024-49982) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49982 was patched at 2024-11-19
160. Memory Corruption - Linux Kernel (CVE-2024-49983) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process: ext4_ext_replay_update_ex ppath = path ext4_force_split_extent_at(&ppath) ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path) ---> path First freed *orig_path = path = NULL ---> null ppath kfree(path) ---> path double-free !!! So drop the unnecessary ppath and use path directly to avoid this problem. And use ext4_find_extent() directly to update path, avoiding unnecessary memory allocation and freeing. Also, propagate the error returned by ext4_find_extent() instead of using strange error codes.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49983 was patched at 2024-11-19
161. Memory Corruption - Linux Kernel (CVE-2024-49986) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors x86_android_tablet_remove() frees the pdevs[] array, so it should not be used after calling x86_android_tablet_remove(). When platform_device_register() fails, store the pdevs[x] PTR_ERR() value into the local ret variable before calling x86_android_tablet_remove() to avoid using pdevs[] after it has been freed.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49986 was patched at 2024-11-19
162. Memory Corruption - Linux Kernel (CVE-2024-49989) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix double free issue during amdgpu module unload Flexible endpoints use DIGs from available inflexible endpoints, so only the encoders of inflexible links need to be freed. Otherwise, a double free issue may occur when unloading the amdgpu module. [ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0 [ 279.190577] Call Trace: [ 279.190580] <TASK> [ 279.190582] ? show_regs+0x69/0x80 [ 279.190590] ? die+0x3b/0x90 [ 279.190595] ? do_trap+0xc8/0xe0 [ 279.190601] ? do_error_trap+0x73/0xa0 [ 279.190605] ? __slab_free+0x152/0x2f0 [ 279.190609] ? exc_invalid_op+0x56/0x70 [ 279.190616] ? __slab_free+0x152/0x2f0 [ 279.190642] ? asm_exc_invalid_op+0x1f/0x30 [ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191096] ? __slab_free+0x152/0x2f0 [ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191469] kfree+0x260/0x2b0 [ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191821] link_destroy+0xd7/0x130 [amdgpu] [ 279.192248] dc_destruct+0x90/0x270 [amdgpu] [ 279.192666] dc_destroy+0x19/0x40 [amdgpu] [ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu] [ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu] [ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu] [ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu] [ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu] [ 279.194632] pci_device_remove+0x3a/0xa0 [ 279.194638] device_remove+0x40/0x70 [ 279.194642] device_release_driver_internal+0x1ad/0x210 [ 279.194647] driver_detach+0x4e/0xa0 [ 279.194650] bus_remove_driver+0x6f/0xf0 [ 279.194653] driver_unregister+0x33/0x60 [ 279.194657] pci_unregister_driver+0x44/0x90 [ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu] [ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0 [ 279.194946] __x64_sys_delete_module+0x16/0x20 [ 279.194950] do_syscall_64+0x58/0x120 [ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 279.194980] </TASK>
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49989 was patched at 2024-11-19
163. Memory Corruption - Linux Kernel (CVE-2024-49991) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49991 was patched at 2024-11-19
164. Memory Corruption - Linux Kernel (CVE-2024-49992) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/stm: Avoid use-after-free issues with crtc and plane ltdc_load() calls functions drm_crtc_init_with_planes(), drm_universal_plane_init() and drm_encoder_init(). These functions should not be called with parameters allocated with devm_kzalloc() to avoid use-after-free issues [1]. Use allocations managed by the DRM framework. Found by Linux Verification Center (linuxtesting.org). [1] https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49992 was patched at 2024-11-19
165. Memory Corruption - Linux Kernel (CVE-2024-49996) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49996 was patched at 2024-11-19
166. Memory Corruption - Linux Kernel (CVE-2024-50029) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50029 was patched at 2024-11-19
167. Memory Corruption - Linux Kernel (CVE-2024-50047) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50047 was patched at 2024-11-19
168. Memory Corruption - Linux Kernel (CVE-2024-50055) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: driver core: bus: Fix double free in driver API bus_register() For bus_register(), any error which happens after kset_register() will cause that @priv are freed twice, fixed by setting @priv with NULL after the first free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50055 was patched at 2024-11-19
169. Memory Corruption - Linux Kernel (CVE-2024-50067) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include <stdio.h> \#include <stdlib.h> \#include <string.h> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 </TASK> This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50067 was patched at 2024-11-19
170. Memory Corruption - Linux Kernel (CVE-2024-50073) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50073 was patched at 2024-11-19
171. Memory Corruption - Linux Kernel (CVE-2024-50074) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50074 was patched at 2024-11-19
172. Memory Corruption - Linux Kernel (CVE-2024-50088) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free in add_inode_ref() The add_inode_ref() function does not initialize the "name" struct when it is declared. If any of the following calls to "read_one_inode() returns NULL, dir = read_one_inode(root, parent_objectid); if (!dir) { ret = -ENOENT; goto out; } inode = read_one_inode(root, inode_objectid); if (!inode) { ret = -EIO; goto out; } then "name.name" would be freed on "out" before being initialized. out: ... kfree(name.name); This issue was reported by Coverity with CID 1526744.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50088 was patched at 2024-11-19
173. Memory Corruption - Linux Kernel (CVE-2024-50121) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50121 was patched at 2024-11-19
174. Memory Corruption - Linux Kernel (CVE-2024-50124) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on iso_sock_timeout conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock so this checks if the conn->sk is still valid by checking if it part of iso_sk_list.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50124 was patched at 2024-11-19
175. Memory Corruption - Linux Kernel (CVE-2024-50125) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50125 was patched at 2024-11-19
176. Memory Corruption - Linux Kernel (CVE-2024-50126) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50126 was patched at 2024-11-19
177. Memory Corruption - Linux Kernel (CVE-2024-50127) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: net: sched: fix use-after-free in taprio_change() In 'taprio_change()', 'admin' pointer may become dangling due to sched switch / removal caused by 'advance_sched()', and critical section protected by 'q->current_entry_lock' is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update 'admin' immediately before an attempt to schedule freeing.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50127 was patched at 2024-11-19
178. Memory Corruption - Linux Kernel (CVE-2024-50131) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the string length equals to the maximum buffer length, the buffer will have no space for the NULL terminating character. This commit checks this condition and returns failure for it.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50131 was patched at 2024-11-19
179. Memory Corruption - Linux Kernel (CVE-2024-50215) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: nvmet-auth: assign dh_key to NULL after kfree_sensitive ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup() for the same controller. So it's better to nullify it after release on error path in order to avoid double free later in nvmet_destroy_auth(). Found by Linux Verification Center (linuxtesting.org) with Svace.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50215 was patched at 2024-11-19
180. Memory Corruption - Linux Kernel (CVE-2024-50217) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details: 1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV): / btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file) 3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF ! Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50217 was patched at 2024-11-19
181. Memory Corruption - Linux Kernel (CVE-2024-50226) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use-after-free, permit out-of-order decoder shutdown In support of investigating an initialization failure report [1], cxl_test was updated to register mock memory-devices after the mock root-port/bus device had been registered. That led to cxl_test crashing with a use-after-free bug with the following signature: cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1 cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1 cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0 1) cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1 [..] cxld_unregister: cxl decoder14.0: cxl_region_decode_reset: cxl_region region3: mock_decoder_reset: cxl_port port3: decoder3.0 reset 2) mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1 cxl_endpoint_decoder_release: cxl decoder14.0: [..] cxld_unregister: cxl decoder7.0: 3) cxl_region_decode_reset: cxl_region region3: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI [..] RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core] [..] Call Trace: <TASK> cxl_region_decode_reset+0x69/0x190 [cxl_core] cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x5d/0x60 [cxl_core] At 1) a region has been established with 2 endpoint decoders (7.0 and 14.0). Those endpoints share a common switch-decoder in the topology (3.0). At teardown, 2), decoder14.0 is the first to be removed and hits the "out of order reset case" in the switch decoder. The effect though is that region3 cleanup is aborted leaving it in-tact and referencing decoder14.0. At 3) the second attempt to teardown region3 trips over the stale decoder14.0 object which has long since been deleted. The fix here is to recognize that the CXL specification places no mandate on in-order shutdown of switch-decoders, the driver enforces in-order allocation, and hardware enforces in-order commit. So, rather than fail and leave objects dangling, always remove them. In support of making cxl_region_decode_reset() always succeed, cxl_region_invalidate_memregion() failures are turned into warnings. Crashing the kernel is ok there since system integrity is at risk if caches cannot be managed around physical address mutation events like CXL region destruction. A new device_for_each_child_reverse_from() is added to cleanup port->commit_end after all dependent decoders have been disabled. In other words if decoders are allocated 0->1->2 and disabled 1->2->0 then port->commit_end only decrements from 2 after 2 has been disabled, and it decrements all the way to zero since 1 was disabled previously.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50226 was patched at 2024-11-19
182. Memory Corruption - Linux Kernel (CVE-2024-50230) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of checked flag Syzbot reported that in directory operations after nilfs2 detects filesystem corruption and degrades to read-only, __block_write_begin_int(), which is called to prepare block writes, may fail the BUG_ON check for accesses exceeding the folio/page size, triggering a kernel bug. This was found to be because the "checked" flag of a page/folio was not cleared when it was discarded by nilfs2's own routine, which causes the sanity check of directory entries to be skipped when the directory page/folio is reloaded. So, fix that. This was necessary when the use of nilfs2's own page discard routine was applied to more than just metadata files.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50230 was patched at 2024-11-19
183. Memory Corruption - Linux Kernel (CVE-2024-50235) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: clear wdev->cqm_config pointer on free When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50235 was patched at 2024-11-19
184. Memory Corruption - Linux Kernel (CVE-2024-50257) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: netfilter: Fix use-after-free in get_info() ip6table_nat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80 Modules linked in: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:module_put+0x6f/0x80 Call Trace: <TASK> get_info+0x128/0x180 do_ip6t_get_ctl+0x6a/0x430 nf_getsockopt+0x46/0x80 ipv6_getsockopt+0xb9/0x100 rawv6_getsockopt+0x42/0x190 do_sock_getsockopt+0xaa/0x180 __sys_getsockopt+0x70/0xc0 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0xa2/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Concurrent execution of module unload and get_info() trigered the warning. The root cause is as follows: cpu0 cpu1 module_exit //mod->state = MODULE_STATE_GOING ip6table_nat_exit xt_unregister_template kfree(t) //removed from templ_list getinfo() t = xt_find_table_lock list_for_each_entry(tmpl, &xt_templates[af]...) if (strcmp(tmpl->name, name)) continue; //table not found try_module_get list_for_each_entry(t, &xt_net->tables[af]...) return t; //not get refcnt module_put(t->me) //uaf unregister_pernet_subsys //remove table from xt_net list While xt_table module was going away and has been removed from xt_templates list, we couldnt get refcnt of xt_table->me. Check module in xt_net->tables list re-traversal to fix it.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50257 was patched at 2024-11-19
185. Memory Corruption - Linux Kernel (CVE-2024-50261) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: macsec: Fix use-after-free while sending the offloading packet KASAN reports the following UAF. The metadata_dst, which is used to store the SCI value for macsec offload, is already freed by metadata_dst_free() in macsec_free_netdev(), while driver still use it for sending the packet. To fix this issue, dst_release() is used instead to release metadata_dst. So it is not freed instantly in macsec_free_netdev() if still referenced by skb. BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mld_ifc_work Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 NF_HOOK.constprop.0+0x15f/0x190 mld_sendpack+0x59a/0xbd0 mld_ifc_work+0x48a/0xa80 process_one_work+0x5aa/0xe50 worker_thread+0x79c/0x1290 kthread+0x28f/0x350 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadata_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50261 was patched at 2024-11-19
186. Memory Corruption - Linux Kernel (CVE-2024-50262) - Medium [346]
Description: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50262 was patched at 2024-11-19
187. Cross Site Scripting - DOMPurify (CVE-2024-48910) - Medium [345]
Description: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.5 | 14 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 9.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-48910 was patched at 2024-11-19
188. Cross Site Scripting - wordpress (CVE-2022-4973) - Medium [345]
Description: WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:wordpress:wordpress (exists in CPE dict) |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 4.9. According to NVD data source |
EPSS Percentile | 0.5 | 10 | EPSS Probability is 0.00115, EPSS Percentile is 0.46452 |
debian: CVE-2022-4973 was patched at 2024-11-19
189. Command Injection - Python (CVE-2024-9287) - Medium [344]
Description: A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.97 | 15 | Command Injection |
Vulnerable Product is Common | 0.6 | 14 | Python is a high-level, general-purpose programming language |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.3. According to Vulners data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14461 |
debian: CVE-2024-9287 was patched at 2024-11-19
ubuntu: CVE-2024-9287 was patched at 2024-11-19
190. Memory Corruption - Chromium (CVE-2024-10488) - Medium [341]
Description: Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-10488 was patched at 2024-11-03, 2024-11-19
191. Memory Corruption - Chromium (CVE-2024-10826) - Medium [341]
Description: Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-10826 was patched at 2024-11-11, 2024-11-19
192. Memory Corruption - Chromium (CVE-2024-10827) - Medium [341]
Description: Use after free in Serial in Google Chrome prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-10827 was patched at 2024-11-11, 2024-11-19
193. Memory Corruption - Chromium (CVE-2024-11113) - Medium [341]
Description: Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11113 was patched at 2024-11-19
194. Memory Corruption - Chromium (CVE-2024-11395) - Medium [341]
Description: Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11395 was patched at 2024-11-20
195. Memory Corruption - Chromium (CVE-2024-9955) - Medium [341]
Description: Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-9955 was patched at 2024-10-17, 2024-10-20
196. Memory Corruption - Chromium (CVE-2024-9957) - Medium [341]
Description: Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-9957 was patched at 2024-10-17, 2024-10-20
197. Memory Corruption - Chromium (CVE-2024-9959) - Medium [341]
Description: Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-9959 was patched at 2024-10-17, 2024-10-20
198. Memory Corruption - Chromium (CVE-2024-9960) - Medium [341]
Description: Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-9960 was patched at 2024-10-17, 2024-10-20
199. Memory Corruption - Chromium (CVE-2024-9961) - Medium [341]
Description: Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.9 | 10 | CVSS Base Score is 8.8. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-9961 was patched at 2024-10-17, 2024-10-20
200. Security Feature Bypass - PHP (CVE-2024-50343) - Medium [341]
Description: symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.8 | 14 | PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. |
CVSS Base Score | 0.3 | 10 | CVSS Base Score is 3.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50343 was patched at 2024-11-11, 2024-11-19
201. Open Redirect - PHP (CVE-2024-50345) - Medium [338]
Description: symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.75 | 15 | Open Redirect |
Vulnerable Product is Common | 0.8 | 14 | PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. |
CVSS Base Score | 0.3 | 10 | CVSS Base Score is 3.1. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.27354 |
debian: CVE-2024-50345 was patched at 2024-11-11, 2024-11-19
202. Denial of Service - Oracle MySQL (CVE-2024-21230) - Medium [336]
Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 6.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21230 was patched at 2024-11-12
203. Security Feature Bypass - Oracle MySQL (CVE-2024-21212) - Medium [336]
Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Health Monitor). Supported versions that are affected are 8.0.39 and prior and 8.4.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Health Monitor). Supported versions that are affected are 8.0.39 and prior and 8.4.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.7 | 14 | MySQL is an open-source relational database management system |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.4. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00044, EPSS Percentile is 0.14774 |
ubuntu: CVE-2024-21212 was patched at 2024-11-12
204. Cross Site Scripting - Chromium (CVE-2024-11111) - Medium [335]
Description: Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11111 was patched at 2024-11-19
205. Cross Site Scripting - Chromium (CVE-2024-11116) - Medium [335]
Description: Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.8 | 15 | Cross Site Scripting |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11116 was patched at 2024-11-19
206. Incorrect Calculation - Linux Kernel (CVE-2024-47686) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() The psc->div[] array has psc->num_div elements. These values come from when we call clk_hw_register_div(). It's adc_divisors and ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= instead of > to prevent an out of bounds read.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47686 was patched at 2024-11-19
207. Memory Corruption - Linux Kernel (CVE-2022-48966) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: net: mvneta: Prevent out of bounds read in mvneta_config_rss() The pp->indir[0] value comes from the user. It is passed to: if (cpu_online(pp->rxq_def)) inside the mvneta_percpu_elect() function. It needs bounds checkeding to ensure that it is not beyond the end of the cpu bitmap.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48966 was patched at 2024-11-19
208. Memory Corruption - Linux Kernel (CVE-2022-48988) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48988 was patched at 2024-11-19
209. Memory Corruption - Linux Kernel (CVE-2022-48999) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48999 was patched at 2024-11-19
210. Memory Corruption - Linux Kernel (CVE-2022-49031) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4403: Fix oob read in afe4403_read_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49031 was patched at 2024-11-19
211. Memory Corruption - Linux Kernel (CVE-2022-49032) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 Read of size 4 at addr ffffffffc00e4658 by task cat/278 Call Trace: afe4404_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4404_channel_leds+0x18/0xffffffffffffe9c0 This issue can be reproduce by singe command: $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw The array size of afe4404_channel_leds and afe4404_channel_offdacs are less than channels, so access with chan->address cause OOB read in afe4404_[read|write]_raw. Fix it by moving access before use them.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49032 was patched at 2024-11-19
212. Memory Corruption - Linux Kernel (CVE-2023-52776) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dfs-radar and temperature event locking The ath12k active pdevs are protected by RCU but the DFS-radar and temperature event handling code calling ath12k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as RCU read-side critical sections to avoid any potential use-after-free issues. Note that the temperature event handler looks like a place holder currently but would still trigger an RCU lockdep splat. Compile tested only.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.9. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
redos: CVE-2023-52776 was patched at 2024-11-19
213. Memory Corruption - Linux Kernel (CVE-2024-26785) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix protection fault in iommufd_test_syz_conv_iova Syzkaller reported the following bug: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] Call Trace: lock_acquire lock_acquire+0x1ce/0x4f0 down_read+0x93/0x4a0 iommufd_test_syz_conv_iova+0x56/0x1f0 iommufd_test_access_rw.isra.0+0x2ec/0x390 iommufd_test+0x1058/0x1e30 iommufd_fops_ioctl+0x381/0x510 vfs_ioctl __do_sys_ioctl __se_sys_ioctl __x64_sys_ioctl+0x170/0x1e0 do_syscall_x64 do_syscall_64+0x71/0x140 This is because the new iommufd_access_change_ioas() sets access->ioas to NULL during its process, so the lock might be gone in a concurrent racing context. Fix this by doing the same access->ioas sanity as iommufd_access_rw() and iommufd_access_pin_pages() functions do.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
oraclelinux: CVE-2024-26785 was patched at 2024-11-14
214. Memory Corruption - Linux Kernel (CVE-2024-26786) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix iopt_access_list_id overwrite bug Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360 Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64 The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails. Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
oraclelinux: CVE-2024-26786 was patched at 2024-11-14
redos: CVE-2024-26786 was patched at 2024-10-23
215. Memory Corruption - Linux Kernel (CVE-2024-47723) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: jfs: fix out-of-bounds in dbNextAG() and diAlloc() In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47723 was patched at 2024-11-19
216. Memory Corruption - Linux Kernel (CVE-2024-47747) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47747 was patched at 2024-11-19
217. Memory Corruption - Linux Kernel (CVE-2024-47757) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47757 was patched at 2024-11-19
218. Memory Corruption - Linux Kernel (CVE-2024-49855) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49855 was patched at 2024-11-19
219. Memory Corruption - Linux Kernel (CVE-2024-49903) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits [syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49903 was patched at 2024-11-19
220. Memory Corruption - Linux Kernel (CVE-2024-49928) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Because the loop-expression will do one more time before getting false from cond-expression, the original code copied one more entry size beyond valid region. Fix it by moving the entry copy to loop-body.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49928 was patched at 2024-11-19
221. Memory Corruption - Linux Kernel (CVE-2024-49981) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: media: venus: fix use after free bug in venus_remove due to race condition in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify. If we call venus_remove, there might be an unfished work. The possible sequence is as follows: CPU0 CPU1 |venus_sys_error_handler venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev Fix it by canceling the work in venus_remove.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49981 was patched at 2024-11-19
222. Memory Corruption - Linux Kernel (CVE-2024-50059) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50059 was patched at 2024-11-19
223. Memory Corruption - Linux Kernel (CVE-2024-50061) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50061 was patched at 2024-11-19
224. Memory Corruption - Linux Kernel (CVE-2024-50086) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is being used.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50086 was patched at 2024-11-19
225. Memory Corruption - Linux Kernel (CVE-2024-50106) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50106 was patched at 2024-11-19
226. Memory Corruption - Linux Kernel (CVE-2024-50115) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50115 was patched at 2024-11-19
227. Memory Corruption - Linux Kernel (CVE-2024-50128) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: net: wwan: fix global oob in wwan_rtnl_policy The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. Exactly same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"). ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862 CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x14f/0x750 mm/kasan/report.c:395 kasan_report+0x139/0x170 mm/kasan/report.c:495 validate_nla lib/nlattr.c:388 [inline] __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 __nla_parse+0x3c/0x50 lib/nlattr.c:700 nla_parse_nested_deprecated include/net/netlink.h:1269 [inline] __rtnl_newlink net/core/rtnetlink.c:3514 [inline] rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623 rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f67b19a24ad RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004 RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40 </TASK> The buggy address belongs to the variable: wwan_rtnl_policy+0x20/0x40 The buggy address belongs to the physical page: page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9 ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 >ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ^ ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== According to the comment of `nla_parse_nested_deprecated`, use correct size `IFLA_WWAN_MAX` here to fix this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50128 was patched at 2024-11-19
228. Memory Corruption - Linux Kernel (CVE-2024-50154) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.0. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50154 was patched at 2024-11-19
229. Memory Corruption - Linux Kernel (CVE-2024-50156) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() If the allocation in msm_disp_state_dump_regs() failed then `block->state` can be NULL. The msm_disp_state_print_regs() function _does_ have code to try to handle it with: if (*reg) dump_addr = *reg; ...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference `dump_addr`. Make the function print "Registers not stored" when it sees a NULL to solve this. Since we're touching the code, fix msm_disp_state_print_regs() not to pointlessly take a double-pointer and properly mark the pointer as `const`. Patchwork: https://patchwork.freedesktop.org/patch/619657/
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-50156 was patched at 2024-11-19
230. Memory Corruption - Linux Kernel (CVE-2024-50247) - Medium [334]
Description: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check if more than chunk-size bytes are written A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.7 | 10 | CVSS Base Score is 7.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50247 was patched at 2024-11-19
231. Denial of Service - Jetty (CVE-2024-8184) - Medium [332]
Description: There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.6 | 14 | Jetty is a Java based web server and servlet engine |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.9. According to NVD data source |
EPSS Percentile | 0.3 | 10 | EPSS Probability is 0.00075, EPSS Percentile is 0.33825 |
debian: CVE-2024-8184 was patched at 2024-11-19
232. Denial of Service - Vault (CVE-2024-8185) - Medium [332]
Description: Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.6 | 14 | Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
redos: CVE-2024-8185 was patched at 2024-11-13
233. Security Feature Bypass - Nextcloud (CVE-2024-52510) - Medium [332]
Description: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.6 | 14 | Nextcloud server is a self hosted personal cloud system |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.2. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00045, EPSS Percentile is 0.17041 |
debian: CVE-2024-52510 was patched at 2024-11-19
234. Information Disclosure - Vault (CVE-2023-3462) - Medium [331]
Description: HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.83 | 15 | Information Disclosure |
Vulnerable Product is Common | 0.6 | 14 | Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00049, EPSS Percentile is 0.19685 |
redos: CVE-2023-3462 was patched at 2024-10-28
235. Denial of Service - Chromium (CVE-2024-9962) - Medium [329]
Description: {'nvd_cve_data_all': 'Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-9962 was patched at 2024-10-17, 2024-10-20
236. Denial of Service - Chromium (CVE-2024-9964) - Medium [329]
Description: {'nvd_cve_data_all': 'Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.4 | 10 | CVSS Base Score is 4.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-9964 was patched at 2024-10-17, 2024-10-20
237. Information Disclosure - PHP (CVE-2024-50342) - Medium [329]
Description: symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.83 | 15 | Information Disclosure |
Vulnerable Product is Common | 0.8 | 14 | PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. |
CVSS Base Score | 0.3 | 10 | CVSS Base Score is 3.1. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-50342 was patched at 2024-11-11, 2024-11-19
238. Memory Corruption - Chromium (CVE-2024-11112) - Medium [329]
Description: Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | Chromium is a free and open-source web browser project, mainly developed and maintained by Google |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-11112 was patched at 2024-11-19
239. Memory Corruption - GNOME desktop (CVE-2024-52531) - Medium [329]
Description: GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. Input received over the network cannot trigger this.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.8 | 14 | GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.4. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-52531 was patched at 2024-11-19
240. Denial of Service - Flask (CVE-2024-49767) - Medium [327]
Description: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Flask is a lightweight WSGI web application framework |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00056, EPSS Percentile is 0.24607 |
debian: CVE-2024-49767 was patched at 2024-11-19
ubuntu: CVE-2024-49767 was patched at 2024-11-05
241. Denial of Service - Rexml (CVE-2024-49761) - Medium [327]
Description: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:ruby-lang:rexml (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00053, EPSS Percentile is 0.22686 |
debian: CVE-2024-49761 was patched at 2024-11-19, 2024-11-20
redos: CVE-2024-49761 was patched at 2024-11-13
ubuntu: CVE-2024-49761 was patched at 2024-11-05
242. Denial of Service - Suricata (CVE-2024-45795) - Medium [327]
Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:oisf:suricata (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-45795 was patched at 2024-11-19
243. Denial of Service - Suricata (CVE-2024-47522) - Medium [327]
Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:oisf:suricata (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-47522 was patched at 2024-11-19
244. Denial of Service - nimbus_jose\\+jwt (CVE-2023-52428) - Medium [327]
Description: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:connect2id:nimbus_jose\\+jwt (does NOT exist in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00049, EPSS Percentile is 0.20256 |
redhat: CVE-2023-52428 was patched at 2024-11-04
245. Path Traversal - Consul (CVE-2024-10005) - Medium [327]
Description: A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Path Traversal |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:hashicorp:consul (exists in CPE dict) |
CVSS Base Score | 0.8 | 10 | CVSS Base Score is 8.1. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00047, EPSS Percentile is 0.19013 |
debian: CVE-2024-10005 was patched at 2024-11-19
246. Security Feature Bypass - mutt (CVE-2024-49394) - Medium [327]
Description: In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.9 | 15 | Security Feature Bypass |
Vulnerable Product is Common | 0.5 | 14 | Product detected by a:mutt:mutt (exists in CPE dict) |
CVSS Base Score | 0.5 | 10 | CVSS Base Score is 5.3. According to NVD data source |
EPSS Percentile | 0.2 | 10 | EPSS Probability is 0.00046, EPSS Percentile is 0.18445 |
debian: CVE-2024-49394 was patched at 2024-11-19
247. Denial of Service - QEMU (CVE-2024-4693) - Medium [324]
Description: A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop(). This flaw allows a malicious guest to crash the QEMU process on the host.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.7 | 15 | Denial of Service |
Vulnerable Product is Common | 0.7 | 14 | QEMU is a generic and open source machine & userspace emulator and virtualizer |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
ubuntu: CVE-2024-4693 was patched at 2024-11-08
248. Incorrect Calculation - Linux Kernel (CVE-2022-48987) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: media: v4l2-dv-timings.c: fix too strict blanking sanity checks Sanity checks were added to verify the v4l2_bt_timings blanking fields in order to avoid integer overflows when userspace passes weird values. But that assumed that userspace would correctly fill in the front porch, backporch and sync values, but sometimes all you know is the total blanking, which is then assigned to just one of these fields. And that can fail with these checks. So instead set a maximum for the total horizontal and vertical blanking and check that each field remains below that. That is still sufficient to avoid integer overflows, but it also allows for more flexibility in how userspace fills in these fields.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48987 was patched at 2024-11-19
249. Incorrect Calculation - Linux Kernel (CVE-2024-42066) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix potential integer overflow in page size calculation Explicitly cast tbo->page_alignment to u64 before bit-shifting to prevent overflow when assigning to min_page_size.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
ubuntu: CVE-2024-42066 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
250. Incorrect Calculation - Linux Kernel (CVE-2024-42231) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix calc_available_free_space() for zoned mode calc_available_free_space() returns the total size of metadata (or system) block groups, which can be allocated from unallocated disk space. The logic is wrong on zoned mode in two places. First, the calculation of data_chunk_size is wrong. We always allocate one zone as one chunk, and no partial allocation of a zone. So, we should use zone_size (= data_sinfo->chunk_size) as it is. Second, the result "avail" may not be zone aligned. Since we always allocate one zone as one chunk on zoned mode, returning non-zone size aligned bytes will result in less pressure on the async metadata reclaim process. This is serious for the nearly full state with a large zone size device. Allowing over-commit too much will result in less async reclaim work and end up in ENOSPC. We can align down to the zone size to avoid that.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
ubuntu: CVE-2024-42231 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
251. Incorrect Calculation - Linux Kernel (CVE-2024-47739) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: padata: use integer wrap around to prevent deadlock on seq_nr overflow When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next. To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-47739 was patched at 2024-11-19
252. Incorrect Calculation - Linux Kernel (CVE-2024-49892) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize get_bytes_per_element's default to 1 Variables, used as denominators and maybe not assigned to other values, should not be 0. bytes_per_element_y & bytes_per_element_c are initialized by get_bytes_per_element() which should never return 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49892 was patched at 2024-11-19
253. Incorrect Calculation - Linux Kernel (CVE-2024-49899) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize denominators' default to 1 [WHAT & HOW] Variables used as denominators and maybe not assigned to other values, should not be 0. Change their default to 1 so they are never 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2024-49899 was patched at 2024-11-19
254. Incorrect Calculation - Linux Kernel (CVE-2024-49977) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix zero-division error when disabling tc cbs The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled") allows the "port_transmit_rate_kbps" to be set to a value of 0, which is then passed to the "div_s64" function when tc-cbs is disabled. This leads to a zero-division error. When tc-cbs is disabled, the idleslope, sendslope, and credit values the credit values are not required to be configured. Therefore, adding a return statement after setting the txQ mode to DCB when tc-cbs is disabled would prevent a zero-division error.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49977 was patched at 2024-11-19
255. Incorrect Calculation - Linux Kernel (CVE-2024-49994) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-49994 was patched at 2024-11-19
256. Incorrect Calculation - Linux Kernel (CVE-2024-50001) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping for the skb. This could fail, e.g. under memory pressure, when the IOMMU driver just can't allocate more memory for page tables. While the code tries to handle this in the path below the err_unmap label it erroneously unmaps one entry from the sq's FIFO list of active mappings. Since the current map attempt failed this unmap is removing some random DMA mapping that might still be required. If the PCI function now presents that IOVA, the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI function in error state. The erroneous behavior was seen in a stress-test environment that created memory pressure.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50001 was patched at 2024-11-19
257. Incorrect Calculation - Linux Kernel (CVE-2024-50002) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the static calls in a module. static_call_add_module() invokes __static_call_init(), which allocates a struct static_call_mod to either encapsulate the built-in static call sites of the associated key into it so further modules can be added or to append the module to the module chain. If that allocation fails the function returns with an error code and the module core invokes static_call_del_module() to clean up eventually added static_call_mod entries. This works correctly, when all keys used by the module were converted over to a module chain before the failure. If not then static_call_del_module() causes a #GP as it blindly assumes that key::mods points to a valid struct static_call_mod. The problem is that key::mods is not a individual struct member of struct static_call_key, it's part of a union to save space: union { /* bit 0: 0 = mods, 1 = sites */ unsigned long type; struct static_call_mod *mods; struct static_call_site *sites; }; key::sites is a pointer to the list of built-in usage sites of the static call. The type of the pointer is differentiated by bit 0. A mods pointer has the bit clear, the sites pointer has the bit set. As static_call_del_module() blidly assumes that the pointer is a valid static_call_mod type, it fails to check for this failure case and dereferences the pointer to the list of built-in call sites, which is obviously bogus. Cure it by checking whether the key has a sites or a mods pointer. If it's a sites pointer then the key is not to be touched. As the sites are walked in the same order as in __static_call_init() the site walk can be terminated because all subsequent sites have not been touched by the init code due to the error exit. If it was converted before the allocation fail, then the inner loop which searches for a module match will find nothing. A fail in the second allocation in __static_call_init() is harmless and does not require special treatment. The first allocation succeeded and converted the key to a module chain. That first entry has mod::mod == NULL and mod::next == NULL, so the inner loop of static_call_del_module() will neither find a module match nor a module chain. The next site in the walk was either already converted, but can't match the module, or it will exit the outer loop because it has a static_call_site pointer and not a static_call_mod pointer.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50002 was patched at 2024-11-19
258. Incorrect Calculation - Linux Kernel (CVE-2024-50016) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid overflow assignment in link_dp_cts sampling_rate is an uint8_t but is assigned an unsigned int, and thus it can overflow. As a result, sampling_rate is changed to uint32_t. Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should only be assigned to a value less or equal than 4. This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50016 was patched at 2024-11-19
259. Incorrect Calculation - Linux Kernel (CVE-2024-50018) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: napi: Prevent overflow of napi_defer_hard_irqs In commit 6f8b12d661d0 ("net: napi: add hard irqs deferral feature") napi_defer_irqs was added to net_device and napi_defer_irqs_count was added to napi_struct, both as type int. This value never goes below zero, so there is not reason for it to be a signed int. Change the type for both from int to u32, and add an overflow check to sysfs to limit the value to S32_MAX. The limit of S32_MAX was chosen because the practical limit before this patch was S32_MAX (anything larger was an overflow) and thus there are no behavioral changes introduced. If the extra bit is needed in the future, the limit can be raised. Before this patch: $ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs' $ cat /sys/class/net/eth4/napi_defer_hard_irqs -2147483647 After this patch: $ sudo bash -c 'echo 2147483649 > /sys/class/net/eth4/napi_defer_hard_irqs' bash: line 0: echo: write error: Numerical result out of range Similarly, /sys/class/net/XXXXX/tx_queue_len is defined as unsigned: include/linux/netdevice.h: unsigned int tx_queue_len; And has an overflow check: dev_change_tx_queue_len(..., unsigned long new_len): if (new_len != (unsigned int)new_len) return -ERANGE;
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50018 was patched at 2024-11-19
260. Incorrect Calculation - Linux Kernel (CVE-2024-50202) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: nilfs2: propagate directory read errors from nilfs_find_entry() Syzbot reported that a task hang occurs in vcs_open() during a fuzzing test for nilfs2. The root cause of this problem is that in nilfs_find_entry(), which searches for directory entries, ignores errors when loading a directory page/folio via nilfs_get_folio() fails. If the filesystem images is corrupted, and the i_size of the directory inode is large, and the directory page/folio is successfully read but fails the sanity check, for example when it is zero-filled, nilfs_check_folio() may continue to spit out error messages in bursts. Fix this issue by propagating the error to the callers when loading a page/folio fails in nilfs_find_entry(). The current interface of nilfs_find_entry() and its callers is outdated and cannot propagate error codes such as -EIO and -ENOMEM returned via nilfs_find_entry(), so fix it together.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50202 was patched at 2024-11-19
261. Incorrect Calculation - Linux Kernel (CVE-2024-50205) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division. The observed behavior was introduced by commit 826b5de90c0b ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"), and it is difficult to show that any of the interval parameters will satisfy the snd_interval_test() condition with data from the amdtp_rate_table[] table. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50205 was patched at 2024-11-19
262. Incorrect Calculation - Linux Kernel (CVE-2024-50232) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() In the ad7124_write_raw() function, parameter val can potentially be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST() is called within ad7124_set_channel_odr(). The ad7124_write_raw() function is invoked through the sequence: iio_write_channel_raw() -> iio_write_channel_attribute() -> iio_channel_write(), with no checks in place to ensure val is non-zero.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50232 was patched at 2024-11-19
263. Incorrect Calculation - Linux Kernel (CVE-2024-50233) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() In the ad9832_write_frequency() function, clk_get_rate() might return 0. This can lead to a division by zero when calling ad9832_calc_freqreg(). The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect against the case when fout is 0. The ad9832_write_frequency() function is called from ad9832_write(), and fout is derived from a text buffer, which can contain any value.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50233 was patched at 2024-11-19
264. Incorrect Calculation - Linux Kernel (CVE-2024-50258) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: fix crash when config small gso_max_size/gso_ipv4_max_size Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Incorrect Calculation |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2024-50258 was patched at 2024-11-19
265. Memory Corruption - Linux Kernel (CVE-2022-48953) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_handler() uses dev_get_drvdata() to get to the cmos object pointer and the driver data pointer is only populated in cmos_do_probe(). This leads to a NULL pointer dereference in rtc_handler() on boot if the RTC fixed event happens to be active at the init time. To address this issue, change the initialization ordering of the driver so that cmos_wake_setup() is always called after a successful cmos_do_probe() call. While at it, change cmos_pnp_probe() to call cmos_do_probe() after the initial if () statement used for computing the IRQ argument to be passed to cmos_do_probe() which is cleaner than calling it in each branch of that if () (local variable "irq" can be of type int, because it is passed to that function as an argument of type int). Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number of systems, because previously it only affected systems with ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that commit.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48953 was patched at 2024-11-19
266. Memory Corruption - Linux Kernel (CVE-2022-48955) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: thunderbolt: fix memory leak in tbnet_open() When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in tb_xdomain_alloc_out_hopid() is not released. Add tb_xdomain_release_out_hopid() to the error path to release ida.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48955 was patched at 2024-11-19
267. Memory Corruption - Linux Kernel (CVE-2022-48957) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove() The cmd_buff needs to be freed when error happened in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48957 was patched at 2024-11-19
268. Memory Corruption - Linux Kernel (CVE-2022-48959) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(), priv->regions is not released.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48959 was patched at 2024-11-19
269. Memory Corruption - Linux Kernel (CVE-2022-48961) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: mdio: fix unbalanced fwnode reference count in mdio_device_release() There is warning report about of_node refcount leak while probing mdio device: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4 In of_mdiobus_register_device(), we increase fwnode refcount by fwnode_handle_get() before associating the of_node with mdio device, but it has never been decreased in normal path. Since that, in mdio_device_release(), it needs to call fwnode_handle_put() in addition instead of calling kfree() directly. After above, just calling mdio_device_free() in the error handle path of of_mdiobus_register_device() is enough to keep the refcount balanced.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48961 was patched at 2024-11-19
270. Memory Corruption - Linux Kernel (CVE-2022-48963) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: fix memory leak in ipc_mux_init() When failed to alloc ipc_mux->ul_adb.pp_qlt in ipc_mux_init(), ipc_mux is not released.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2022-48963 was patched at 2024-11-19
271. Memory Corruption - Linux Kernel (CVE-2022-48968) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential memory leak in otx2_init_tc() In otx2_init_tc(), if rhashtable_init() failed, it does not free tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48968 was patched at 2024-11-19
272. Memory Corruption - Linux Kernel (CVE-2022-48969) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Fix NULL sring after live migration A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busy_poll/busy_read enabled, the NAPI can be polled before got deleted when resume VM. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennet_poll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finish_task_switch+0x71/0x230 timerqueue_del+0x1d/0x40 hrtimer_try_to_cancel+0xb5/0x110 xennet_alloc_rx_buffers+0x2a0/0x2a0 napi_busy_loop+0xdb/0x270 sock_poll+0x87/0x90 do_sys_poll+0x26f/0x580 tracing_map_insert+0x1d4/0x2f0 event_hist_trigger+0x14a/0x260 finish_task_switch+0x71/0x230 __schedule+0x256/0x890 recalc_sigpending+0x1b/0x50 xen_sched_clock+0x15/0x20 __rb_reserve_next+0x12d/0x140 ring_buffer_lock_reserve+0x123/0x3d0 event_triggers_call+0x87/0xb0 trace_event_buffer_commit+0x1c4/0x210 xen_clocksource_get_cycles+0x15/0x20 ktime_get_ts64+0x51/0xf0 SyS_ppoll+0x160/0x1a0 SyS_ppoll+0x160/0x1a0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]--- xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48969 was patched at 2024-11-19
273. Memory Corruption - Linux Kernel (CVE-2022-48970) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: af_unix: Get user_ns from in_skb in unix_diag_get_exact(). Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed the root cause: in unix_diag_get_exact(), the newly allocated skb does not have sk. [2] We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to sk_diag_fill(). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000270 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:sk_user_ns include/net/sock.h:920 [inline] RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline] RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170 Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b 9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> unix_diag_get_exact net/unix/diag.c:285 [inline] unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317 __sock_diag_cmd net/core/sock_diag.c:235 [inline] sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266 netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2476 ___sys_sendmsg net/socket.c:2530 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2559 __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x4697f9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 </TASK> Modules linked in: CR2: 0000000000000270 [1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/ [2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48970 was patched at 2024-11-19
274. Memory Corruption - Linux Kernel (CVE-2022-48972) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Kernel fault injection test reports null-ptr-deref as follows: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 Call Trace: <TASK> raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 ieee802154_if_add() allocates wpan_dev as netdev's private data, but not init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage the list when device register/unregister, and may lead to null-ptr-deref. Use INIT_LIST_HEAD() on it to initialize it correctly.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48972 was patched at 2024-11-19
275. Memory Corruption - Linux Kernel (CVE-2022-48975) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix memory leak in gpiochip_setup_dev() Here is a backtrace report about memory leak detected in gpiochip_setup_dev(): unreferenced object 0xffff88810b406400 (size 512): comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) backtrace: kmalloc_trace device_add device_private_init at drivers/base/core.c:3361 (inlined by) device_add at drivers/base/core.c:3411 cdev_device_add gpiolib_cdev_register gpiochip_setup_dev gpiochip_add_data_with_key gcdev_register() & gcdev_unregister() would call device_add() & device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to register/unregister device. However, if device_add() succeeds, some resource (like struct device_private allocated by device_private_init()) is not released by device_del(). Therefore, after device_add() succeeds by gcdev_register(), it needs to call put_device() to release resource in the error handle path. Here we move forward the register of release function, and let it release every piece of resource by put_device() instead of kfree(). While at it, fix another subtle issue, i.e. when gc->ngpio is equal to 0, we still call kcalloc() and, in case of further error, kfree() on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, but rather waste of the resources and potentially wrong expectation about contents of the gdev->descs variable.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48975 was patched at 2024-11-19
276. Memory Corruption - Linux Kernel (CVE-2022-48977) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: can: af_can: fix NULL pointer dereference in can_rcv_filter Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer dereference in can_rx_register()") we need to check for a missing initialization of ml_priv in the receive path of CAN frames. Since commit 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") the check for dev->type to be ARPHRD_CAN is not sufficient anymore since bonding or tun netdevices claim to be CAN devices but do not initialize ml_priv accordingly.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48977 was patched at 2024-11-19
277. Memory Corruption - Linux Kernel (CVE-2022-48983) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? lock_downgrade+0x6e0/0x6e0 ? exit_signals+0x8b0/0x8b0 ? do_raw_read_unlock+0x3b/0x70 ? do_raw_spin_unlock+0x50/0x230 arch_do_signal_or_restart+0x82/0x2470 ? kmem_cache_free+0x260/0x4b0 ? putname+0xfe/0x140 ? get_sigframe_size+0x10/0x10 ? do_execveat_common.isra.0+0x226/0x710 ? lockdep_hardirqs_on+0x79/0x100 ? putname+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... This happens because the adding of task_work from io_ring_exit_work() isn't synchronized with canceling all work items from eg exec. The execution of the two are ordered in that they are both run by the task itself, but if io_tctx_exit_cb() is queued while we're canceling all work items off exec AND gets executed when the task exits to userspace rather than in the main loop in io_uring_cancel_generic(), then we can find current->io_uring == NULL and hit the above crash. It's safe to add this NULL check here, because the execution of the two paths are done by the task itself. [axboe: add code comment and also put an explanation in the commit msg]
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48983 was patched at 2024-11-19
278. Memory Corruption - Linux Kernel (CVE-2022-48984) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: can: slcan: fix freed work crash The LTP test pty03 is causing a crash in slcan: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 Workqueue: 0x0 (events) RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 Call Trace: <TASK> worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436) kthread (/home/rich/kernel/linux/kernel/kthread.c:376) ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) Apparently, the slcan's tx_work is freed while being scheduled. While slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work), slcan_close() (tty side) does not. So when the netdev is never set UP, but the tty is stuffed with bytes and forced to wakeup write, the work is scheduled, but never flushed. So add an additional flush_work() to slcan_close() to be sure the work is flushed under all circumstances. The Fixes commit below moved flush_work() from slcan_close() to slcan_netdev_close(). What was the rationale behind it? Maybe we can drop the one in slcan_netdev_close()? I see the same pattern in can327. So it perhaps needs the very same fix.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2022-48984 was patched at 2024-11-19
279. Memory Corruption - Linux Kernel (CVE-2022-48992) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-pcm: Add NULL check in BE reparenting Add NULL check in dpcm_be_reparent API, to handle kernel NULL pointer dereference error. The issue occurred in fuzzing test.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48992 was patched at 2024-11-19
280. Memory Corruption - Linux Kernel (CVE-2022-48995) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() There is a kmemleak when test the raydium_i2c_ts with bpf mock device: unreferenced object 0xffff88812d3675a0 (size 8): comm "python3", pid 349, jiffies 4294741067 (age 95.695s) hex dump (first 8 bytes): 11 0e 10 c0 01 00 04 00 ........ backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 unreferenced object 0xffff88812d3675c8 (size 8): comm "python3", pid 349, jiffies 4294741070 (age 95.692s) hex dump (first 8 bytes): 22 00 36 2d 81 88 ff ff ".6-.... backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 After BANK_SWITCH command from i2c BUS, no matter success or error happened, the tx_buf should be freed.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-48995 was patched at 2024-11-19
281. Memory Corruption - Linux Kernel (CVE-2022-49007) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfs_dat_commit_alloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(). If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and causes the NULL pointer dereference above in nilfs_palloc_commit_free_entry() function, which leads to a crash. Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49007 was patched at 2024-11-19
282. Memory Corruption - Linux Kernel (CVE-2022-49009) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) Add checks for devm_kcalloc As the devm_kcalloc may return NULL, the return value needs to be checked to avoid NULL poineter dereference.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2022-49009 was patched at 2024-11-19
283. Memory Corruption - Linux Kernel (CVE-2022-49013) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: sctp: fix memory leak in sctp_stream_outq_migrate() When sctp_stream_outq_migrate() is called to release stream out resources, the memory pointed to by prio_head in stream out is not released. The memory leak information is as follows: unreferenced object 0xffff88801fe79f80 (size 64): comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s) hex dump (first 32 bytes): 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................ 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................ backtrace: [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60 [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770 [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0 [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30 [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0 [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0 [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120 [<ffffffff8755446a>] __sys_sendto+0x23a/0x340 [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0 [<ffffffff89978b49>] do_syscall_64+0x39/0xb0 [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49013 was patched at 2024-11-19
284. Memory Corruption - Linux Kernel (CVE-2022-49016) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: mdiobus: fix unbalanced node reference count I got the following report while doing device(mscc-miim) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0 If the 'fwnode' is not an acpi node, the refcount is get in fwnode_mdiobus_phy_device_register(), but it has never been put when the device is freed in the normal path. So call fwnode_handle_put() in phy_device_release() to avoid leak. If it's an acpi node, it has never been get, but it's put in the error path, so call fwnode_handle_get() before phy_device_register() to keep get/put operation balanced.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49016 was patched at 2024-11-19
285. Memory Corruption - Linux Kernel (CVE-2022-49019) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: ethernet: nixge: fix NULL dereference In function nixge_hw_dma_bd_release() dereference of NULL pointer priv->rx_bd_v is possible for the case of its allocation failure in nixge_hw_dma_bd_init(). Move for() loop with priv->rx_bd_v dereference under the check for its validity. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49019 was patched at 2024-11-19
286. Memory Corruption - Linux Kernel (CVE-2022-49021) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //probe path: phy_device_register() device_add() phy_connect phy_attach_direct() //set device driver probe() //it's failed, driver is not bound device_bind_driver() // probe failed, it's not called //remove path: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev->drv is not NULL klist_remove() <- knode_driver is not added yet, cause null-ptr-deref In phy_attach_direct(), after setting the 'dev->driver', probe() fails, device_bind_driver() is not called, so the knode_driver->n_klist is not set, then it causes null-ptr-deref in __device_release_driver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phy_attach_direct().
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2022-49021 was patched at 2024-11-19
287. Memory Corruption - Linux Kernel (CVE-2023-52779) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: fs: Pass AT_GETATTR_NOSEC flag to getattr interface function When vfs_getattr_nosec() calls a filesystem's getattr interface function then the 'nosec' should propagate into this function so that vfs_getattr_nosec() can again be called from the filesystem's gettattr rather than vfs_getattr(). The latter would add unnecessary security checks that the initial vfs_getattr_nosec() call wanted to avoid. Therefore, introduce the getattr flag GETATTR_NOSEC and allow to pass with the new getattr_flags parameter to the getattr interface function. In overlayfs and ecryptfs use this flag to determine which one of the two functions to call. In a recent code change introduced to IMA vfs_getattr_nosec() ended up calling vfs_getattr() in overlayfs, which in turn called security_inode_getattr() on an exiting process that did not have current->fs set anymore, which then caused a kernel NULL pointer dereference. With this change the call to security_inode_getattr() can be avoided, thus avoiding the NULL pointer dereference.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
redos: CVE-2023-52779 was patched at 2024-11-19
288. Memory Corruption - Linux Kernel (CVE-2023-52783) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: net: wangxun: fix kernel panic due to null pointer When the device uses a custom subsystem vendor ID, the function wx_sw_init() returns before the memory of 'wx->mac_table' is allocated. The null pointer will causes the kernel panic.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
redos: CVE-2023-52783 was patched at 2024-11-19
289. Memory Corruption - Linux Kernel (CVE-2023-52918) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: check cx23885_vdev_init() return cx23885_vdev_init() can return a NULL pointer, but that pointer is used in the next line without a check. Add a NULL pointer check and go to the error unwind if it is NULL.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2023-52918 was patched at 2024-11-19
ubuntu: CVE-2023-52918 was patched at 2024-10-31, 2024-11-04, 2024-11-06, 2024-11-07, 2024-11-11, 2024-11-12, 2024-11-14, 2024-11-19, 2024-11-20
290. Memory Corruption - Linux Kernel (CVE-2023-52919) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Handle memory allocation failure from nci_skb_alloc() (calling alloc_skb()) to avoid possible NULL pointer dereference.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
debian: CVE-2023-52919 was patched at 2024-11-19
291. Memory Corruption - Linux Kernel (CVE-2023-52920) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: bpf: support non-r10 register spill/fill to/from stack in precision tracking Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it *and* potentially adjusting offset. To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking. This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches. There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states). File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) -------------------------------------- ------------- --------- --------- ------------- ---------- ---------- ------------- test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%) Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees. Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. In this case, we don't want to entries, so we need to reuse last added entry, if it is present. Relying on insn_idx comparison has the same ambiguity problem as the one that was fixed recently in [0], so we avoid that. [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
debian: CVE-2023-52920 was patched at 2024-11-19
292. Memory Corruption - Linux Kernel (CVE-2024-26909) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free A recent DRM series purporting to simplify support for "transparent bridges" and handling of probe deferrals ironically exposed a use-after-free issue on pmic_glink_altmode probe deferral. This has manifested itself as the display subsystem occasionally failing to initialise and NULL-pointer dereferences during boot of machines like the Lenovo ThinkPad X13s. Specifically, the dp-hpd bridge is currently registered before all resources have been acquired which means that it can also be deregistered on probe deferrals. In the meantime there is a race window where the new aux bridge driver (or PHY driver previously) may have looked up the dp-hpd bridge and stored a (non-reference-counted) pointer to the bridge which is about to be deallocated. When the display controller is later initialised, this triggers a use-after-free when attaching the bridges: dp -> aux -> dp-hpd (freed) which may, for example, result in the freed bridge failing to attach: [drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16 or a NULL-pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ... Call trace: drm_bridge_attach+0x70/0x1a8 [drm] drm_aux_bridge_attach+0x24/0x38 [aux_bridge] drm_bridge_attach+0x80/0x1a8 [drm] dp_bridge_init+0xa8/0x15c [msm] msm_dp_modeset_init+0x28/0xc4 [msm] The DRM bridge implementation is clearly fragile and implicitly built on the assumption that bridges may never go away. In this case, the fix is to move the bridge registration in the pmic_glink_altmode driver to after all resources have been looked up. Incidentally, with the new dp-hpd bridge implementation, which registers child devices, this is also a requirement due to a long-standing issue in driver core that can otherwise lead to a probe deferral loop (see commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")). [DB: slightly fixed commit message by adding the word 'commit']
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
redos: CVE-2024-26909 was patched at 2024-10-28
293. Memory Corruption - Linux Kernel (CVE-2024-40907) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: ionic: fix kernel panic in XDP_TX action In the XDP_TX path, ionic driver sends a packet to the TX path with rx page and corresponding dma address. After tx is done, ionic_tx_clean() frees that page. But RX ring buffer isn't reset to NULL. So, it uses a freed page, which causes kernel panic. BUG: unable to handle page fault for address: ffff8881576c110c PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060 Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11 Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8 RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283 RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002 RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8 R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100 FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x254/0x790 ? __pfx_page_fault_oops+0x10/0x10 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? search_bpf_extables+0x165/0x260 ? fixup_exception+0x4a/0x970 ? exc_page_fault+0xcb/0xe0 ? asm_exc_page_fault+0x22/0x30 ? 0xffffffffc0051f64 ? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f ? do_raw_spin_unlock+0x54/0x220 ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864] __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x7e7/0xc30 ? __pfx_net_rx_action+0x10/0x10
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
oraclelinux: CVE-2024-40907 was patched at 2024-11-14
294. Memory Corruption - Linux Kernel (CVE-2024-41010) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix too early release of tcx_entry Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported an issue that the tcx_entry can be released too early leading to a use after free (UAF) when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance. Essentially, the sequence to trigger the UAF (one example) can be as follows: 1. A network namespace is created 2. An ingress qdisc is created. This allocates a tcx_entry, and &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the same time, a tcf block with index 1 is created. 3. chain0 is attached to the tcf block. chain0 must be connected to the block linked to the ingress qdisc to later reach the function tcf_chain0_head_change_cb_del() which triggers the UAF. 4. Create and graft a clsact qdisc. This causes the ingress qdisc created in step 1 to be removed, thus freeing the previously linked tcx_entry: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy() => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry freed 5. Finally, the network namespace is closed. This registers the cleanup_net worker, and during the process of releasing the remaining clsact qdisc, it accesses the tcx_entry that was already freed in step 4, causing the UAF to occur: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair_swap() // UAF There are also other variants, the gist is to add an ingress (or clsact) qdisc with a specific shared block, then to replace that qdisc, waiting for the tcx_entry kfree_rcu() to be executed and subsequently accessing the current active qdisc's miniq one way or another. The correct fix is to turn the miniq_active boolean into a counter. What can be observed, at step 2 above, the counter transitions from 0->1, at step [a] from 1->2 (in order for the miniq object to remain active during the replacement), then in [b] from 2->1 and finally [c] 1->0 with the eventual release. The reference counter in general ranges from [0,2] and it does not need to be atomic since all access to the counter is protected by the rtnl mutex. With this in place, there is no longer a UAF happening and the tcx_entry is freed at the correct time.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
ubuntu: CVE-2024-41010 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
295. Memory Corruption - Linux Kernel (CVE-2024-41037) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: fix null deref on system suspend entry When system enters suspend with an active stream, SOF core calls hw_params_upon_resume(). On Intel platforms with HDA DMA used to manage the link DMA, this leads to call chain of hda_dsp_set_hw_params_upon_resume() -> hda_dsp_dais_suspend() -> hda_dai_suspend() -> hda_ipc4_post_trigger() A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first, which clears hext_stream->link_substream, and then hda_ipc4_post_trigger() is called with a NULL snd_pcm_substream pointer.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
ubuntu: CVE-2024-41037 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
296. Memory Corruption - Linux Kernel (CVE-2024-41053) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_abort_one racing issue When ufshcd_abort_one is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by ISR. Return success when request is completed by ISR because ufshcd_abort_one does not need to do anything. The racing flow is: Thread A ufshcd_err_handler step 1 ... ufshcd_abort_one ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace. ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. ufshcd_try_to_abort_task: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
ubuntu: CVE-2024-41053 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
297. Memory Corruption - Linux Kernel (CVE-2024-41054) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_clear_cmd racing issue When ufshcd_clear_cmd is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by the ISR. And ufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE. Return success when the request is completed by ISR because sq does not need cleanup. The racing flow is: Thread A ufshcd_err_handler step 1 ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_clear_cmd ... ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace: ufshcd_try_to_abort_task: cmd pending in the device. tag = 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise] Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise] Call trace: dump_backtrace+0xf8/0x148 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c mrdump_common_die+0x24c/0x398 [mrdump] ipanic_die+0x20/0x34 [mrdump] notify_die+0x80/0xd8 die+0x94/0x2b8 __do_kernel_fault+0x264/0x298 do_page_fault+0xa4/0x4b8 do_translation_fault+0x38/0x54 do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise] ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise] ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
ubuntu: CVE-2024-41054 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
298. Memory Corruption - Linux Kernel (CVE-2024-41083) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid Fix netfs_page_mkwrite() to check that folio->mapping is valid once it has taken the folio lock (as filemap_page_mkwrite() does). Without this, generic/247 occasionally oopses with something like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:trace_event_raw_event_netfs_folio+0x61/0xc0 ... Call Trace: <TASK> ? __die_body+0x1a/0x60 ? page_fault_oops+0x6e/0xa0 ? exc_page_fault+0xc2/0xe0 ? asm_exc_page_fault+0x22/0x30 ? trace_event_raw_event_netfs_folio+0x61/0xc0 trace_netfs_folio+0x39/0x40 netfs_page_mkwrite+0x14c/0x1d0 do_page_mkwrite+0x50/0x90 do_pte_missing+0x184/0x200 __handle_mm_fault+0x42d/0x500 handle_mm_fault+0x121/0x1f0 do_user_addr_fault+0x23e/0x3c0 exc_page_fault+0xc2/0xe0 asm_exc_page_fault+0x22/0x30 This is due to the invalidate_inode_pages2_range() issued at the end of the DIO write interfering with the mmap'd writes.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
ubuntu: CVE-2024-41083 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
299. Memory Corruption - Linux Kernel (CVE-2024-41084) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: cxl/region: Avoid null pointer dereference in region lookup cxl_dpa_to_region() looks up a region based on a memdev and DPA. It wrongly assumes an endpoint found mapping the DPA is also of a fully assembled region. When not true it leads to a null pointer dereference looking up the region name. This appears during testing of region lookup after a failure to assemble a BIOS defined region or if the lookup raced with the assembly of the BIOS defined region. Failure to clean up BIOS defined regions that fail assembly is an issue in itself and a fix to that problem will alleviate some of the impact. It will not alleviate the race condition so let's harden this path. The behavior change is that the kernel oops due to a null pointer dereference is replaced with a dev_dbg() message noting that an endpoint was mapped. Additional comments are added so that future users of this function can more clearly understand what it provides.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00042, EPSS Percentile is 0.05115 |
oraclelinux: CVE-2024-41084 was patched at 2024-11-14
ubuntu: CVE-2024-41084 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
300. Memory Corruption - Linux Kernel (CVE-2024-41085) - Medium [322]
Description: In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix no cxl_nvd during pmem region auto-assembling When CXL subsystem is auto-assembling a pmem region during cxl endpoint port probing, always hit below calltrace. BUG: kernel NULL pointer dereference, address: 0000000000000078 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x160 ? do_user_addr_fault+0x65/0x6b0 ? exc_page_fault+0x7d/0x170 ? asm_exc_page_fault+0x26/0x30 ? cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] ? cxl_pmem_region_probe+0x1ac/0x360 [cxl_pmem] cxl_bus_probe+0x1b/0x60 [cxl_core] really_probe+0x173/0x410 ? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x80/0x170 driver_probe_device+0x1e/0x90 __device_attach_driver+0x90/0x120 bus_for_each_drv+0x84/0xe0 __device_attach+0xbc/0x1f0 bus_probe_device+0x90/0xa0 device_add+0x51c/0x710 devm_cxl_add_pmem_region+0x1b5/0x380 [cxl_core] cxl_bus_probe+0x1b/0x60 [cxl_core] The cxl_nvd of the memdev needs to be available during the pmem region probe. Currently the cxl_nvd is registered after the endpoint port probe. The endpoint probe, in the case of autoassembly of regions, can cause a pmem region probe requiring the not yet available cxl_nvd. Adjust the sequence so this dependency is met. This requires adding a port parameter to cxl_find_nvdimm_bridge() that can be used to query the ancestor root port. The endpoint port is not yet available, but will share a common ancestor with its parent, so start the query from there instead.
Component | Value | Weight | Comment |
---|
Exploited in the Wild | 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources |
Exploit Exists | 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources |
Criticality of Vulnerability Type | 0.5 | 15 | Memory Corruption |
Vulnerable Product is Common | 0.9 | 14 | The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel |
CVSS Base Score | 0.6 | 10 | CVSS Base Score is 5.5. According to NVD data source |
EPSS Percentile | 0.1 | 10 | EPSS Probability is 0.00043, EPSS Percentile is 0.10278 |
oraclelinux: CVE-2024-41085 was patched at 2024-11-14
ubuntu: CVE-2024-41085 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19
301. Memory Corruption - Linux Kernel (