Fedoraproject Fedora vulnerabilities

CVE-2024-27008 [HIGH] CWE-125 CVE-2024-27008: In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds ac In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must

CVE-2024-27018 [HIGH] CVE-2024-27018: In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: skip c In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: skip conntrack input hook for promisc packets For historical reasons, when bridge device is in promisc mode, packets that are directed to the taps follow bridge input hook path. This patch adds a workaround to reset conntrack for these packets. Jianbo Liu reports w

CVE-2024-4368 [HIGH] CWE-416 CVE-2024-4368: Use after free in Dawn in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potenti Use after free in Dawn in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2024-4331 [HIGH] CWE-416 CVE-2024-4331: Use after free in Picture In Picture in Google Chrome prior to 124.0.6367.118 allowed a remote attac Use after free in Picture In Picture in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2024-27021 [HIGH] CWE-667 CVE-2024-27021: In the Linux kernel, the following vulnerability has been resolved: r8169: fix LED-related deadlock In the Linux kernel, the following vulnerability has been resolved: r8169: fix LED-related deadlock on module removal Binding devm_led_classdev_register() to the netdev is problematic because on module removal we get a RTNL-related deadlock. Fix this by avoiding the device-managed LED functions. Note: We can safely call led_classdev_unregister() fo

CVE-2024-27001 [MEDIUM] CVE-2024-27001: In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete In the Linux kernel, the following vulnerability has been resolved: comedi: vmk80xx: fix incomplete endpoint checking While vmk80xx does have endpoint checking implemented, some things can fall through the cracks. Depending on the hardware model, URBs can have either bulk or interrupt type, and current version of vmk80xx_find_usb_endpoints() function does

CVE-2024-27017 [MEDIUM] CVE-2024-27017: In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: walk over current view on netlink dump The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to re

CVE-2024-26994 [MEDIUM] CVE-2024-26994: In the Linux kernel, the following vulnerability has been resolved: speakup: Avoid crash on very lo In the Linux kernel, the following vulnerability has been resolved: speakup: Avoid crash on very long word In case a console is set up really large and contains a really long word (> 256 characters), we have to stop before the length of the word buffer.

CVE-2024-27014 [MEDIUM] CWE-667 CVE-2024-27014: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent deadlock whi In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent deadlock while disabling aRFS When disabling aRFS under the `priv->state_lock`, any scheduled aRFS works are canceled using the `cancel_work_sync` function, which waits for the work to end if it has already started. However, while waiting for the work handler, t

CVE-2024-26987 [MEDIUM] CWE-667 CVE-2024-26987: In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix deadlock In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled When I did hard offline test with hugetlb pages, below deadlock occurs: WARNING: possible circular locking dependency detected 6.8.0-11409-gf6cef5f8c37f #1 Not tainted bash/46904 is trying to acquire lock: f

CVE-2024-4059 [MEDIUM] CWE-125 CVE-2024-4059: Out of bounds read in V8 API in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to le Out of bounds read in V8 API in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to leak cross-site data via a crafted HTML page. (Chromium security severity: High)

CVE-2024-27013 [MEDIUM] CWE-770 CVE-2024-27013: In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when i In the Linux kernel, the following vulnerability has been resolved: tun: limit printing rate when illegal packet received by tun dev vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet a

CVE-2024-27019 [MEDIUM] CWE-362 CVE-2024-27019: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix poten In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tabl

CVE-2024-27012 [MEDIUM] CWE-401 CVE-2024-27012: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore s In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive element

CVE-2024-27016 [MEDIUM] CVE-2024-27016: In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate pppoe header Ensure there is sufficient room to access the protocol field of the PPPoe header. Validate it once before the flowtable lookup, then use a helper function to access protocol field.

CVE-2024-27004 [MEDIUM] CWE-667 CVE-2024-27004: In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walk In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree during disable_unused Doug reported [1] the following hung task: INFO: task swapper/0:1 blocked for more than 122 seconds. Not tainted 5.15.149-21875-gf795ebc40eb8 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

CVE-2024-27015 [MEDIUM] CVE-2024-27015: In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect pppoe tuple pppoe traffic reaching ingress path does not match the flowtable entry because the pppoe header is expected to be at the network header offset. This bug causes a mismatch in the flow table lookup, so pppoe packets enter the classical forwarding

CVE-2024-4060 [MEDIUM] CWE-416 CVE-2024-4060: Use after free in Dawn in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentia Use after free in Dawn in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2024-26986 [MEDIUM] CWE-401 CVE-2024-26986: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in create_process failure Fix memory leak due to a leaked mmget reference on an error handling code path that is triggered when attempting to create KFD processes while a GPU reset is in progress.

CVE-2024-1874 [CRITICAL] CWE-116 CVE-2024-1874: In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.