CVE-2023-41278
published 2024-02-02CVE-2023-41278: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability…
PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.55%
41.7th percentile
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.2.2533 build 20230926 and later
QuTS hero h5.1.2.2534 build 20230927 and later
QuTScloud c5.1.5.2651 and later
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | qutscloud | — | — |
| qnap_systems_inc | qts | >= 5.1.x < 5.1.2.2533 build 20230926 | 5.1.2.2533 build 20230926 |
| qnap_systems_inc | quts_hero | >= h5.1.x < h5.1.2.2534 build 20230927 | h5.1.2.2534 build 20230927 |
| qnap_systems_inc | qutscloud | >= c5.x.x < c5.1.5.2651 | c5.1.5.2651 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-682p-65cm-q45c: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
ghsa_unreviewed·2024-02-02
CVE-2023-41278 [MEDIUM] CWE-120 GHSA-682p-65cm-q45c: A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.2.2533 build 20230926 and later
QuTS hero h5.1.2.2534 build 20230927 and later
QuTScloud c5.1.5.2651 and later
Red Hat
kernel: wifi: mac80211: check S1G action frame size
vendor_redhat·2025-09-15·CVSS 7.8
CVE-2023-53257 [HIGH] kernel: wifi: mac80211: check S1G action frame size
kernel: wifi: mac80211: check S1G action frame size
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: check S1G action frame size
Before checking the action code, check that it even
exists in the frame.
Statement: Exploitable by an RF-adjacent attacker via malformed 802.11ah (S1G) action frames. No local privileges required. Impact is limited to potential denial-of-service from a kernel crash. Not applicable where 802.11ah/S1G is not in use.
Fixed starting from the Red Hat Enterprise Linux 9.4.
Mitigation: To mitigate this issue, prevent module mac80211 from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 10) - Not
Red Hat
kernel: block, bfq: fix uaf for bfqq in bic_set_bfqq()
vendor_redhat·2025-03-27·CVSS 7.8
CVE-2023-52983 [HIGH] kernel: block, bfq: fix uaf for bfqq in bic_set_bfqq()
kernel: block, bfq: fix uaf for bfqq in bic_set_bfqq()
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for bfqq in bic_set_bfqq()
After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
bic->bfqq.
Fix the problem by always freeing bfqq after bic_set_bfqq().
Statement: Red Hat Enterprise Linux (all versions) not affected, because the part of the source code that contains the bug not introduced yet.
Mitigation: To mitigate this issue, prevent module bfq from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading autom
Red Hat
kernel: OOB Access in smb2_dump_detail
vendor_redhat·2023-12-04·CVSS 7.1
CVE-2023-6610 [HIGH] CWE-125 kernel: OOB Access in smb2_dump_detail
kernel: OOB Access in smb2_dump_detail
An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
Mitigation: To mitigate this issue, prevent module cifs from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Out of suppo
Red Hat
kernel: Out-Of-Bounds Read vulnerability in smbCalcSize
vendor_redhat·2023-12-04·CVSS 7.1
CVE-2023-6606 [HIGH] CWE-125 kernel: Out-Of-Bounds Read vulnerability in smbCalcSize
kernel: Out-Of-Bounds Read vulnerability in smbCalcSize
An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
Mitigation: To mitigate this issue, prevent module cifs from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Out o
Red Hat
kernel: race condition between HCIUARTSETPROTO and HCIUARTGETPROTO in hci_uart_tty_ioctl
vendor_redhat·2023-04-17·CVSS 4.7
CVE-2023-31083 [MEDIUM] kernel: race condition between HCIUARTSETPROTO and HCIUARTGETPROTO in hci_uart_tty_ioctl
kernel: race condition between HCIUARTSETPROTO and HCIUARTGETPROTO in hci_uart_tty_ioctl
An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.
A NULL pointer dereference flaw was found in the Linux kernel’s Bluetooth HCI UART driver. This flaw allows a local user to crash the system.
Mitigation: To mitigate this issue, prevent module hci_uart from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Ent
Red Hat
kernel: out-of-bounds write in qfq_change_class function
vendor_redhat·2023-04-13·CVSS 7.8
CVE-2023-31436 [HIGH] CWE-787 kernel: out-of-bounds write in qfq_change_class function
kernel: out-of-bounds write in qfq_change_class function
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.
An out-of-bounds memory access flaw was found in the Linux kernel’s traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Mitigation: To mitigate this issue, prevent the module, sch_qfq from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 9) - Not affe
Red Hat
kernel: use-after-free in bq24190_remove in drivers/power/supply/bq24190_charger.c
vendor_redhat·2023-03-10·CVSS 4.7
CVE-2023-33288 [MEDIUM] CWE-416 kernel: use-after-free in bq24190_remove in drivers/power/supply/bq24190_charger.c
kernel: use-after-free in bq24190_remove in drivers/power/supply/bq24190_charger.c
An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.
A use-after-free flaw was found in bq24190_remove in drivers/power/supply/bq24190_charger.c in the power subsystem in the Linux Kernel. This flaw allows a local attacker to crash the system due to a race problem.
Mitigation: In order to mitigate this issue it is possible to prevent the affected code from being loaded by blacklisting the kernel module bq24190-charger. For instructions relating to how to blacklist a kernel module, refer to: https://access.redhat.com/solutions/41278
Packa
Red Hat
kernel: drivers/usb/storage/ene_ub6250.c
vendor_redhat·2023-02-04·CVSS 5.5
CVE-2023-45862 [MEDIUM] kernel: drivers/usb/storage/ene_ub6250.c
kernel: drivers/usb/storage/ene_ub6250.c
An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.
An out-of-bounds memory access flaw was found in the Linux kernel ENE SD/MS Card reader driver. This issue occurs when using a malicious USB device, which could allow a local user to crash the system.
Mitigation: To mitigate this issue, prevent module ums-eneub6250 from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Out of support scope
Package: kern
Red Hat
kernel: tap: tap_open(): correctly initialize socket uid
vendor_redhat·2023-02-04·CVSS 5.5
CVE-2023-1076 [MEDIUM] CWE-843 kernel: tap: tap_open(): correctly initialize socket uid
kernel: tap: tap_open(): correctly initialize socket uid
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.
A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and get unauthorized access to some resources.
Mitigation: To mitigate this issue, prevent modules tap and tun from being loaded. Please see https://access.redhat.com/solutions/41278
Red Hat
kernel: net/tls: tls_is_tx_ready() checked list_entry
vendor_redhat·2023-01-28·CVSS 3.3
CVE-2023-1075 [LOW] CWE-843 kernel: net/tls: tls_is_tx_ready() checked list_entry
kernel: net/tls: tls_is_tx_ready() checked list_entry
A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.
A memory leak flaw was found in the Linux kernel's TLS protocol. This issue could allow a local user unauthorized access to some memory.
Mitigation: To mitigate this issue, prevent module tls from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise
Red Hat
kernel: sctp: fail if no bound addresses can be used for a given scope
vendor_redhat·2023-01-23·CVSS 5.5
CVE-2023-1074 [MEDIUM] CWE-401 kernel: sctp: fail if no bound addresses can be used for a given scope
kernel: sctp: fail if no bound addresses can be used for a given scope
A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.
A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service.
Mitigation: To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to pr
Red Hat
kernel: UAF during login when accessing the shost ipaddress
vendor_redhat·2023-01-17·CVSS 5.5
CVE-2023-2162 [MEDIUM] CWE-416 kernel: UAF during login when accessing the shost ipaddress
kernel: UAF during login when accessing the shost ipaddress
A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
A use-after-free flaw was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in the SCSI sub-component in the Linux Kernel. This issue could allow an attacker to leak kernel internal information.
Mitigation: This flaw can be mitigated by preventing the affected iscsi_tcp.ko kernel module from loading during the boot time, ensure the module is added into the blacklist file.
~~~
Refer:
How do I blacklist a kernel module to prevent it from loading automatically?
https://access.redhat.com/solutions/41278
~~~
Pack
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-02-02
Published