Msrc Cbl Mariner 2.0 Arm vulnerabilities

CVE-2023-2162 [MEDIUM] CWE-416 A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal infor A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. FAQ: Is Azure Linux the only Microsoft product that include

CVE-2021-45985 [HIGH] CWE-1395 Mitre: CVE-2021-45985 Erroneous finalizer call in Lua leads to a heap-based buffer over-read Mitre: CVE-2021-45985 Erroneous finalizer call in Lua leads to a heap-based buffer over-read NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2021-45985 Description: This CVE was assigned by Mitre. Some Microsoft products consume Lau open-source software. The purpose of this document is to attest to the fact that the products listed in the Security Updates table hav

CVE-2023-30772 [MEDIUM] CWE-416 The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affe

CVE-2023-2019 [MEDIUM] CWE-911 A flaw was found in the Linux kernel's netdevsim device driver within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to crea A flaw was found in the Linux kernel's netdevsim device driver within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system. FAQ: Is Azure Linux

CVE-2023-28484 [MEDIUM] CWE-476 In libxml2 before 2.10.4 parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. In libxml2 before 2.10.4 parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library a

CVE-2023-1990 [MEDIUM] CWE-416 A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affec

CVE-2023-28328 [MEDIUM] CWE-476 A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into t A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or pot

CVE-2023-30612 [MEDIUM] CWE-416 Malicious HTTP requests could close arbitrary opening file descriptors in cloud-hypervisor Malicious HTTP requests could close arbitrary opening file descriptors in cloud-hypervisor FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most r

CVE-2023-2166 [MEDIUM] CWE-476 A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.

CVE-2023-2177 [MEDIUM] CWE-476 A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed stream_out is freed which would further be accesse A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potential

CVE-2023-2426 [MEDIUM] CWE-823 Use of Out-of-range Pointer Offset in vim/vim Use of Out-of-range Pointer Offset in vim/vim FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is compos

CVE-2023-29194 [MEDIUM] CWE-20 vitess allows users to create keyspaces that can deny access to already existing keyspaces vitess allows users to create keyspaces that can deny access to already existing keyspaces FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most re

CVE-2023-28531 [CRITICAL] ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main

CVE-2023-26484 [HIGH] CWE-863 On a compromised KubeVirt node the virt-handler service account can be used to modify all node specs On a compromised KubeVirt node the virt-handler service account can be used to modify all node specs FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to da

CVE-2022-48425 [HIGH] CWE-763 In the Linux kernel through 6.2.7 fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. In the Linux kernel through 6.2.7 fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose t

CVE-2023-1652 [HIGH] CWE-416 A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. FAQ: Is Azure Linux the only Microso

CVE-2023-28466 [HIGH] CWE-476 do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call leading to a race condition (with a resultant use-after-free or NULL pointer dereference). do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call leading to a race condition (with a resultant use-after-free or NULL pointer dereference). FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is

CVE-2022-4904 [HIGH] CWE-1284 A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string which allows a possible arbitrary length stack overflow. This issue may cause a d A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity

CVE-2022-4095 [HIGH] CWE-416 A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c allowing an attacker to launch a local denial of service att A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c allowing an attacker to launch a local denial of service attack and gain escalation of privileges. FAQ: Is Azure Linux the only M

CVE-2023-27533 [HIGH] CWE-74 A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server A vulnerability in input validation exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux d