CWE-911
AllowedImproper Update of Reference Count
Abstraction: Base · Status: Incomplete
The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.
25 vulnerabilities reference this CWE, most recent first.
CVE-2020-11935 (GCVE-0-2020-11935)
Vulnerability from cvelistv5 – Published: 2023-04-07 00:00 – Updated: 2024-08-04 11:42- CWE-911 - Improper Update of Reference Count
| URL | Tags |
|---|---|
| https://ubuntu.com/security/CVE-2020-11935 | vendor-advisory |
| https://bugs.launchpad.net/bugs/1873074 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Ubuntu | Linux kernel (aufs filesystem module) |
Unaffected:
4.4.0-186.216 , < 4.4*
(custom)
Unaffected: 4.15.0-112.113 , < 4.15* (custom) Unaffected: 5.4.0-42.46 , < 5.4* (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Ubuntu Security CVE-2020-11935",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2020-11935"
},
{
"name": "Launchpad Bug 1873074",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1873074"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Linux kernel (aufs filesystem module)",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "4.4*",
"status": "unaffected",
"version": "4.4.0-186.216",
"versionType": "custom"
},
{
"lessThan": "4.15*",
"status": "unaffected",
"version": "4.15.0-112.113",
"versionType": "custom"
},
{
"lessThan": "5.4*",
"status": "unaffected",
"version": "5.4.0-42.46",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mauricio Faria de Oliveira discovered that the aufs implementation in the Linux kernel improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service."
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-911",
"description": "CWE-911 Improper Update of Reference Count",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-07T00:00:00.000Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "Ubuntu Security CVE-2020-11935",
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/CVE-2020-11935"
},
{
"name": "Launchpad Bug 1873074",
"tags": [
"vendor-advisory"
],
"url": "https://bugs.launchpad.net/bugs/1873074"
}
],
"source": {
"defect": [
"LP#1873074"
],
"discovery": "USER"
},
"title": "aufs: improperly managed inode reference counts in the vfsub_dentry_open() method",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-11935",
"datePublished": "2023-04-07T00:00:00.000Z",
"dateReserved": "2020-04-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:42:00.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-3HMC-JXR7-RW7J
Vulnerability from github – Published: 2023-10-24 00:31 – Updated: 2024-07-24 18:31The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2023-5633"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T22:15:09Z",
"severity": "HIGH"
},
"details": "The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.",
"id": "GHSA-3hmc-jxr7-rw7j",
"modified": "2024-07-24T18:31:15Z",
"published": "2023-10-24T00:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5633"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0113"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0134"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1404"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4831"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-5633"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245663"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4WXW-3VRC-3HMH
Vulnerability from github – Published: 2025-02-18 21:32 – Updated: 2025-05-13 21:30A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't properly set an ERRNO value. This issue may lead to a NULL pointer access.
{
"affected": [],
"aliases": [
"CVE-2024-45783"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-18T20:15:19Z",
"severity": "MODERATE"
},
"details": "A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn\u0027t properly set an ERRNO value. This issue may lead to a NULL pointer access.",
"id": "GHSA-4wxw-3vrc-3hmh",
"modified": "2025-05-13T21:30:28Z",
"published": "2025-02-18T21:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45783"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:6990"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-45783"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345863"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XP2-X7QR-WJRX
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-06 15:30This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpcUa_SecureListener_ProcessSessionCallRequest method. A crafted OPC UA message can force the server to incorrectly update a reference count. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-16927.
{
"affected": [],
"aliases": [
"CVE-2022-37012"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpcUa_SecureListener_ProcessSessionCallRequest method. A crafted OPC UA message can force the server to incorrectly update a reference count. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-16927.",
"id": "GHSA-5xp2-x7qr-wjrx",
"modified": "2023-04-06T15:30:18Z",
"published": "2023-03-29T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37012"
},
{
"type": "WEB",
"url": "https://documentation.unified-automation.com/uasdkcpp/1.7.7/CHANGELOG.txt"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W7W-2RV7-QQW7
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-07-03 18:42In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails
arm_smmu_rpm_get() invokes pm_runtime_get_sync(), which increases the refcount of the "smmu" even though the return value is less than 0.
The reference counting issue happens in some error handling paths of arm_smmu_rpm_get() in its caller functions. When arm_smmu_rpm_get() fails, the caller functions forget to decrease the refcount of "smmu" increased by arm_smmu_rpm_get(), causing a refcount leak.
Fix this issue by calling pm_runtime_resume_and_get() instead of pm_runtime_get_sync() in arm_smmu_rpm_get(), which can keep the refcount balanced in case of failure.
{
"affected": [],
"aliases": [
"CVE-2021-47327"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails\n\narm_smmu_rpm_get() invokes pm_runtime_get_sync(), which increases the\nrefcount of the \"smmu\" even though the return value is less than 0.\n\nThe reference counting issue happens in some error handling paths of\narm_smmu_rpm_get() in its caller functions. When arm_smmu_rpm_get()\nfails, the caller functions forget to decrease the refcount of \"smmu\"\nincreased by arm_smmu_rpm_get(), causing a refcount leak.\n\nFix this issue by calling pm_runtime_resume_and_get() instead of\npm_runtime_get_sync() in arm_smmu_rpm_get(), which can keep the refcount\nbalanced in case of failure.",
"id": "GHSA-8w7w-2rv7-qqw7",
"modified": "2024-07-03T18:42:48Z",
"published": "2024-05-21T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47327"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1adf30f198c26539a62d761e45af72cde570413d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3761ae0d0e549f2acdaf11f49df4ed06d256b20f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c4007596fbdabc29f858dc2e1990858a146b60b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbf4daa6f4105e01fbd3868006f65c163365c1e3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe92c058199067ae90cf2a901ddf3c271893557a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9VMW-8F7F-QHCH
Vulnerability from github – Published: 2023-04-24 21:30 – Updated: 2024-04-04 03:40A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.
{
"affected": [],
"aliases": [
"CVE-2023-2019"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-24T21:15:09Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel\u0027s netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.",
"id": "GHSA-9vmw-8f7f-qhch",
"modified": "2024-04-04T03:40:14Z",
"published": "2023-04-24T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2019"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/180a6a3ee60a"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2189137"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-17811"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9X88-7C3C-R34G
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence:
ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1]
rt_genid_bump_ipv6()
-> bumps fib6_sernum
[fib6_sernum from W to Z]
ip6_route_output()
-> ip6_pol_route()
-> FIB lookup resolves fib6_nh
[nhid=N]
-> rt6_get_pcpu_route()
pcpu_rt->sernum != fib6_sernum
[W <> Z, stale]
-> prev = xchg(rt6i_pcpu, NULL)
-> dst_release(prev)
[prev is pcpu_rt,
refcount 1->0, dead]
dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
-> dst_hold() on dead dst
-> WARN / use-after-free
For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry.
Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.
{
"affected": [],
"aliases": [
"CVE-2026-46099"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:31Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n ksoftirqd/X higher-prio task (same CPU X)\n ----------- --------------------------------\n seg6_input_core(,skb)/rpl_input(skb)\n dst_cache_get()\n -\u003e miss\n ip6_route_input(skb)\n -\u003e ip6_pol_route(,skb,flags)\n [RT6_LOOKUP_F_DST_NOREF in flags]\n -\u003e FIB lookup resolves fib6_nh\n [nhid=N route]\n -\u003e rt6_make_pcpu_route()\n [creates pcpu_rt, refcount=1]\n pcpu_rt-\u003esernum = fib6_sernum\n [fib6_sernum=W]\n -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\n NULL, pcpu_rt)\n [slot was empty, store succeeds]\n -\u003e skb_dst_set_noref(skb, dst)\n [dst is pcpu_rt, refcount still 1]\n\n rt_genid_bump_ipv6()\n -\u003e bumps fib6_sernum\n [fib6_sernum from W to Z]\n ip6_route_output()\n -\u003e ip6_pol_route()\n -\u003e FIB lookup resolves fib6_nh\n [nhid=N]\n -\u003e rt6_get_pcpu_route()\n pcpu_rt-\u003esernum != fib6_sernum\n [W \u003c\u003e Z, stale]\n -\u003e prev = xchg(rt6i_pcpu, NULL)\n -\u003e dst_release(prev)\n [prev is pcpu_rt,\n refcount 1-\u003e0, dead]\n\n dst = skb_dst(skb)\n [dst is the dead pcpu_rt]\n dst_cache_set_ip6(dst)\n -\u003e dst_hold() on dead dst\n -\u003e WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst.",
"id": "GHSA-9x88-7c3c-r34g",
"modified": "2026-06-30T03:36:51Z",
"published": "2026-05-27T15:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46099"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46099"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481972"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5W9-M9R4-63PR
Vulnerability from github – Published: 2024-12-28 06:30 – Updated: 2025-01-09 18:32Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.
{
"affected": [],
"aliases": [
"CVE-2024-46972"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-28T05:15:08Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.",
"id": "GHSA-g5w9-m9r4-63pr",
"modified": "2025-01-09T18:32:13Z",
"published": "2024-12-28T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46972"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR5C-F7V3-7G8C
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-27 00:01Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
{
"affected": [],
"aliases": [
"CVE-2022-29581"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-17T17:15:00Z",
"severity": "HIGH"
},
"details": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.",
"id": "GHSA-jr5c-f7v3-7g8c",
"modified": "2022-05-27T00:01:44Z",
"published": "2022-05-18T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29581"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3db09e762dc79584a69c10d74a6b98f89a9979f8"
},
{
"type": "WEB",
"url": "https://kernel.dance/#3db09e762dc79584a69c10d74a6b98f89a9979f8"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220629-0005"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5173"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168191/Kernel-Live-Patch-Security-Notice-LSN-0089-1.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/05/18/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5WQ-R6HH-XQF5
Vulnerability from github – Published: 2023-04-07 03:30 – Updated: 2023-04-13 21:30It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2020-11935"
],
"database_specific": {
"cwe_ids": [
"CWE-911"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-07T02:15:00Z",
"severity": "MODERATE"
},
"details": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.",
"id": "GHSA-m5wq-r6hh-xqf5",
"modified": "2023-04-13T21:30:27Z",
"published": "2023-04-07T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11935"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/bugs/1873074"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2020-11935"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.