Debian Linux vulnerabilities

CVE-2024-35791 [HIGH] CWE-416 CVE-2024-35791: In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if

CVE-2023-52696 [HIGH] CWE-476 CVE-2023-52696: In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null poi In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_powercap_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.

CVE-2023-52679 [HIGH] CWE-415 CVE-2023-52679: In the Linux kernel, the following vulnerability has been resolved: of: Fix double free in of_parse In the Linux kernel, the following vulnerability has been resolved: of: Fix double free in of_parse_phandle_with_args_map In of_parse_phandle_with_args_map() the inner loop that iterates through the map entries calls of_node_put(new) to free the reference acquired by the previous iteration of the inner loop. This assumes that the value of "new" is N

CVE-2023-52691 [HIGH] CWE-415 CVE-2023-52691: In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix a double-free i In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix a double-free in si_dpm_init When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm

CVE-2024-35789 [HIGH] CWE-416 CVE-2024-35789: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fas In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check

CVE-2024-27405 [HIGH] CWE-476 CVE-2024-27405: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid droppin In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a proper NTB. When the NTB is parsed, unwrap call looks for

CVE-2023-52669 [HIGH] CWE-787 CVE-2023-52669: In the Linux kernel, the following vulnerability has been resolved: crypto: s390/aes - Fix buffer o In the Linux kernel, the following vulnerability has been resolved: crypto: s390/aes - Fix buffer overread in CTR mode When processing the last block, the s390 ctr code will always read a whole block, even if there isn't a whole block of data left. Fix this by using the actual length left and copy it into a buffer first for processing.

CVE-2024-35785 [HIGH] CWE-754 CVE-2024-35785: In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix kernel panic ca In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix kernel panic caused by incorrect error handling The error path while failing to register devices on the TEE bus has a bug leading to kernel panic as follows: [ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c [ 15.406913] Mem abo

CVE-2024-35849 [HIGH] CWE-908 CVE-2024-35849: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in In the Linux kernel, the following vulnerability has been resolved: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino(): BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_us

CVE-2024-35847 [HIGH] CWE-415 CVE-2024-35847: In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Prevent dou In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Prevent double free on error The error handling path in its_vpe_irq_domain_alloc() causes a double free when its_vpe_init() fails after successfully allocating at least one interrupt. This happens because its_vpe_irq_domain_free() frees the interrupts along with

CVE-2024-35828 [MEDIUM] CWE-401 CVE-2024-35828: In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix some memlea In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() In the for statement of lbs_allocate_cmd_buffer(), if the allocation of cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().

CVE-2024-35813 [MEDIUM] CVE-2024-35813: In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid negative index In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid negative index with array access Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns prev_idata = idatas[i - 1], but doesn't check that the iterator i is greater than zero. Let's fix this by adding a check.

CVE-2024-35815 [MEDIUM] CVE-2024-35815: In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW befor In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion The first kiocb_set_cancel_fn() argument may point at a struct kiocb that is not embedded inside struct aio_kiocb. With the current code, depending on the compiler, the req->ki_ctx read happens either before the IOCB_AIO_RW

CVE-2024-27416 [MEDIUM] CVE-2024-27416: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix handl In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST If we received HCI_EV_IO_CAPA_REQUEST while HCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote does support SSP since otherwise this event shouldn't be generated.

CVE-2023-52672 [MEDIUM] CWE-400 CVE-2023-52672: In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after sett In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1]. The commit resizing the pipe ring size was moved to

CVE-2024-35805 [MEDIUM] CWE-667 CVE-2024-35805: In the Linux kernel, the following vulnerability has been resolved: dm snapshot: fix lockup in dm_e In the Linux kernel, the following vulnerability has been resolved: dm snapshot: fix lockup in dm_exception_table_exit There was reported lockup when we exit a snapshot with many exceptions. Fix this by adding "cond_resched" to the loop that frees the exceptions.

CVE-2024-35806 [MEDIUM] CWE-667 CVE-2024-35806: In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Always disable In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: Always disable interrupts when taking cgr_lock smp_call_function_single disables IRQs when executing the callback. To prevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere. This is already done by qman_update_cgr and qman_delete_cgr; fix the other

CVE-2024-35809 [MEDIUM] CWE-362 CVE-2024-35809: In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle call In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove() callback in the rtsx_pcr PCI driver leads to a kernel crash due to an unhandled page fault [1]. The problem is that rtsx_pci_runtime_idle() is not ex

CVE-2024-27431 [MEDIUM] CWE-908 CVE-2024-27431: In the Linux kernel, the following vulnerability has been resolved: cpumap: Zero-initialise xdp_rxq In the Linux kernel, the following vulnerability has been resolved: cpumap: Zero-initialise xdp_rxq_info struct before running XDP program When running an XDP program that is attached to a cpumap entry, we don't initialise the xdp_rxq_info data structure being used in the xdp_buff that backs the XDP program invocation. Tobias noticed that this lea

CVE-2024-35811 [MEDIUM] CVE-2024-35811: In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233 In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker: ->brcmf_usb_probe ->brcmf_usb_p