Debian Linux vulnerabilities

CVE-2024-26777 [MEDIUM] CVE-2024-26777: In the Linux kernel, the following vulnerability has been resolved: fbdev: sis: Error out if pixclo In the Linux kernel, the following vulnerability has been resolved: fbdev: sis: Error out if pixclock equals zero The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error. In sisfb_check_var(), var->pixclock is used as a divisor to caculate dr

CVE-2024-26747 [MEDIUM] CWE-476 CVE-2024-26747: In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer is In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue when put module's reference In current design, usb role class driver will get usb_role_switch parent's module reference after the user get usb_role_switch device and put the reference after the user put the usb_role_switch device. However, the pa

CVE-2024-26685 [MEDIUM] CWE-787 CVE-2024-26685: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential bug in en In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential bug in end_buffer_async_write According to a syzbot report, end_buffer_async_write(), which handles the completion of block device writes, may detect abnormal condition of the buffer async_write flag and cause a BUG_ON failure when using nilfs2. Nilfs2 itsel

CVE-2024-26773 [MEDIUM] CVE-2024-26773: In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocating blocks f In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Determine if the group block bitmap is corrupted before using ac_b_ex in ext4_mb_try_best_found() to avoid allocating blocks from a group with a corrupted block bitmap in the following concurrency and making th

CVE-2024-26766 [MEDIUM] CWE-193 CVE-2024-26766: In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_des In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probabl

CVE-2024-26764 [LOW] CVE-2024-26764: In the Linux kernel, the following vulnerability has been resolved: fs/aio: Restrict kiocb_set_canc In the Linux kernel, the following vulnerability has been resolved: fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the following kernel warning appears: WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Call trace: kiocb_set_cancel_fn+0x9c/0xa8 ffs_ep

CVE-2024-26665 [HIGH] CWE-125 CVE-2024-26665: In the Linux kernel, the following vulnerability has been resolved: tunnels: fix out of bounds acce In the Linux kernel, the following vulnerability has been resolved: tunnels: fix out of bounds access when building IPv6 PMTU error If the ICMPv6 error is built from a non-linear skb we get the following splat, BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 Read of size 4 at addr ffff88811d402c80 by task netperf/820 CPU: 0 PID: 820 Comm: net

CVE-2024-26673 [HIGH] CVE-2024-26673: In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: sanitize lay In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations - Disallow families other than NFPROTO_{IPV4,IPV6,INET}. - Disallow layer 4 protocol with no ports, since destination port is a mandatory attribute for this object.

CVE-2024-26664 [HIGH] CWE-787 CVE-2024-26664: In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Fix out-of-bo In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Fix out-of-bounds memory access Fix a bug that pdata->cpu_map[] is set before out-of-bounds check. The problem might be triggered on systems with more than 128 cores per package.

CVE-2024-26659 [MEDIUM] CWE-787 CVE-2024-26659: In the Linux kernel, the following vulnerability has been resolved: xhci: handle isoc Babble and Bu In the Linux kernel, the following vulnerability has been resolved: xhci: handle isoc Babble and Buffer Overrun events properly xHCI 4.9 explicitly forbids assuming that the xHC has released its ownership of a multi-TRB TD when it reports an error on one of the early TRBs. Yet the driver makes such assumption and releases the TD, allowing the rema

CVE-2023-52635 [MEDIUM] CWE-835 CVE-2023-52635: In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Synchronize devfr In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Synchronize devfreq_monitor_[start/stop] There is a chance if a frequent switch of the governor done in a loop result in timer list corruption where timer cancel being done from two place one from cancel_delayed_work_sync() and followed by expire_timers() can be seen

CVE-2024-26663 [MEDIUM] CWE-476 CVE-2024-26663: In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type bef In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x000000000

CVE-2024-26675 [MEDIUM] CWE-770 CVE-2024-26675: In the Linux kernel, the following vulnerability has been resolved: ppp_async: limit MRU to 64K sy In the Linux kernel, the following vulnerability has been resolved: ppp_async: limit MRU to 64K syzbot triggered a warning [1] in __alloc_pages(): WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) [1]: WARNING:

CVE-2024-26684 [MEDIUM] CVE-2024-26684: In the Linux kernel, the following vulnerability has been resolved: net: stmmac: xgmac: fix handlin In the Linux kernel, the following vulnerability has been resolved: net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features in XGMAC core") checks and reports safety errors, but leaves the Data Path Parity Errors for each channel in DMA unhandled at all, lead to a storm of interrup

CVE-2024-26671 [MEDIUM] CWE-362 CVE-2024-26671: In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitma In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe the added waiter in

CVE-2024-26679 [MEDIUM] CWE-667 CVE-2024-26679: In the Linux kernel, the following vulnerability has been resolved: inet: read sk->sk_family once i In the Linux kernel, the following vulnerability has been resolved: inet: read sk->sk_family once in inet_recv_error() inet_recv_error() is called without holding the socket lock. IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM socket option and trigger a KCSAN warning.

CVE-2024-26654 [HIGH] CWE-416 CVE-2024-26654: In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be der

CVE-2024-28085 [LOW] CWE-150 CVE-2024-28085: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequence wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

CVE-2023-52621 [HIGH] CWE-617 CVE-2023-52621: In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_ In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers These three bpf_map_{lookup,update,delete}_elem() helpers are also available for sleepable bpf program, so add the corresponding lock assertion for sleepable bpf program, otherwise the following warning will be rep

CVE-2023-52627 [MEDIUM] CWE-476 CVE-2023-52627: In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7091r: Allow users In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7091r: Allow users to configure device events AD7091R-5 devices are supported by the ad7091r-5 driver together with the ad7091r-base driver. Those drivers declared iio events for notifying user space when ADC readings fall bellow the thresholds of low limit registers or