Debian Linux-6.1 vulnerabilities

CVE-2024-36899 [HIGH] CVE-2024-36899: linux - In the Linux kernel, the following vulnerability has been resolved: gpiolib: cd... In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to

CVE-2024-46804 [HIGH] CVE-2024-46804: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add array index check for hdcp ddc access [Why] Coverity reports OVERRUN warning. Do not check if array index valid. [How] Check msg_id valid and valid array index. Scope: local bookworm: resolved (fixed in 6.1.112-1) bullseye: resolved (fixed in 5.10.226-1) forky: resolved (fixed in

CVE-2024-50073 [HIGH] CVE-2024-50073: linux - In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm:... In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtua

CVE-2024-36913 [HIGH] CVE-2024-36913: linux - In the Linux kernel, the following vulnerability has been resolved: Drivers: hv... In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoi

CVE-2024-45026 [HIGH] CVE-2024-45026: linux - In the Linux kernel, the following vulnerability has been resolved: s390/dasd: ... In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix error recovery leading to data corruption on ESE devices Extent Space Efficient (ESE) or thin provisioned volumes need to be formatted on demand during usual IO processing. The dasd_ese_needs_format function checks for error codes that signal the non existence of a proper track format.

CVE-2024-41050 [HIGH] CVE-2024-41050: linux - In the Linux kernel, the following vulnerability has been resolved: cachefiles:... In the Linux kernel, the following vulnerability has been resolved: cachefiles: cyclic allocation of msg_id to avoid reuse Reusing the msg_id after a maliciously completed reopen request may cause a read request to remain unprocessed and result in a hung, as shown below: t1 | t2 | t3 ------------------------------------------------- cachefiles_ondemand_select_req cach

CVE-2024-41092 [HIGH] CVE-2024-41092: linux - In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt... In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix potential UAF by revoke of fence registers CI has been sporadically reporting the following issue triggered by igt@i915_selftest@live@hangcheck on ADL-P and similar machines: [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence ... [414.068804] i915 0000:00:

CVE-2024-57917 [HIGH] CVE-2024-57917: linux - In the Linux kernel, the following vulnerability has been resolved: topology: K... In the Linux kernel, the following vulnerability has been resolved: topology: Keep the cpumask unchanged when printing cpumap During fuzz testing, the following warning was discovered: different return values (15 and 11) from vsnprintf("%*pbl ", ...) test:keyward is WARNING in kvasprintf WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130 Call T

CVE-2024-50047 [HIGH] CVE-2024-50047: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ===========================================

CVE-2024-57998 [HIGH] CVE-2024-57998: linux - In the Linux kernel, the following vulnerability has been resolved: OPP: add in... In the Linux kernel, the following vulnerability has been resolved: OPP: add index check to assert to avoid buffer overflow in _read_freq() Pass the freq index to the assert function to make sure we do not read a freq out of the opp->rates[] table when called from the indexed variants: dev_pm_opp_find_freq_exact_indexed() or dev_pm_opp_find_freq_ceil/floor_indexed().

CVE-2024-56631 [HIGH] CVE-2024-56631: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: sg: F... In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0

CVE-2024-54458 [HIGH] CVE-2024-54458: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ... In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: bsg: Set bsg_queue to NULL after removal Currently, this does not cause any issues, but I believe it is necessary to set bsg_queue to NULL after removing it to prevent potential use-after-free (UAF) access. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.

CVE-2024-27407 [HIGH] CVE-2024-27407: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: F... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed overflow check in mi_enum_attr() Scope: local bookworm: resolved (fixed in 6.1.123-1) bullseye: resolved forky: resolved (fixed in 6.7.7-1) sid: resolved (fixed in 6.7.7-1) trixie: resolved (fixed in 6.7.7-1)

CVE-2024-50143 [HIGH] CVE-2024-50143: linux - In the Linux kernel, the following vulnerability has been resolved: udf: fix un... In the Linux kernel, the following vulnerability has been resolved: udf: fix uninit-value use in udf_get_fileshortad Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7a

CVE-2024-49855 [HIGH] CVE-2024-49855: linux - In the Linux kernel, the following vulnerability has been resolved: nbd: fix ra... In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime m

CVE-2024-41040 [HIGH] CVE-2024-41040: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix UAF when resolving a clash KASAN reports the following UAF: BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct] Read of size 1 at addr ffff888c07603600 by task handler130/6469 Call Trace: dump_stack_lvl+0x48/0x70 print_address_description.constprop.0+0

CVE-2024-50279 [HIGH] CVE-2024-50279: linux - In the Linux kernel, the following vulnerability has been resolved: dm cache: f... In the Linux kernel, the following vulnerability has been resolved: dm cache: fix out-of-bounds access to the dirty bitset when resizing dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug in bitset iteration causes out-of-bounds access. Reproduce steps: 1. create a cache device of 1024 cache blocks (128 by

CVE-2024-43842 [HIGH] CVE-2024-43842: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89... In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. This can lead to go beyond array boundaries in case of 'rate->he_gi' is not equal to 'stat

CVE-2024-47701 [HIGH] CVE-2024-47701: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: avoid... In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0):

CVE-2024-56602 [HIGH] CVE-2024-56602: linux - In the Linux kernel, the following vulnerability has been resolved: net: ieee80... In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow