A use-after-free flaw was found in ip6_autoflowlabel in the Linux kernel's net/ipv6/ip6_output.c code. In this flaw an attacker can cause a denial of service (DoS) attack.

A use-after-free flaw was found in ip6_finish_output2 in net/ipv6/ip6_output.c in ipv6 access. This flaw could allow an attacker to crash the system at device disconnect. This vulnerability could even lead to a kernel information leak problem.

In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu().

In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); }

In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc.

A security vulnerability was found in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) implementation on x86 architecture. When SVA is enabled, the IOMMU caches kernel page table entries. Since the kernel lacks a mechanism to notify the IOMMU when kernel page table pages are freed and reallocated, the IOMMU can retain stale entries pointing to reused memory. This can lead to use-after-free or write-after-free conditions, potentially enabling arbitrary physical memory DMA access or privilege escalation.

In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped.

In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ]

In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid.

A use-after-free flaw was found in the Linux kernel's iSCSI target subsystem. In the iscsit_dec_conn_usage_count() function, complete() is called while still holding the conn->conn_usage_lock spinlock. The waiting thread (such as iscsit_close_connection()) may wake up immediately and free the iscsit_conn structure before the current thread executes spin_unlock_bh(), resulting in a use-after-free when attempting to release the lock on already-freed memory.

A flaw was found in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. An error in releasing a flowtable after an RCU (Read-Copy-Update) grace period could lead to a use-after-free vulnerability. This issue could expose the flowtable to the packet path and nfnetlink_hook control plane, potentially allowing a local attacker to cause a system crash (Denial of Service) or achieve arbitrary code execution.

A flaw was found in the Linux kernel's netfilter subsystem, specifically within the `nf_conntrack_h323` module. This vulnerability occurs in the `DecodeQ931()` function when processing a zero-length value from a packet. An integer underflow during a length calculation results in a large, incorrect value being passed to a subsequent function, leading to an out-of-bounds read. This could allow an attacker to cause a denial of service or potentially disclose sensitive information.

A flaw was found in the Linux kernel's netfilter component. This vulnerability occurs because the `eui64_mt6()` function, which processes IPv6 packets, does not properly validate the MAC header for all packets. Specifically, packets with a zero fragment offset could bypass an existing guard, allowing the system to attempt to access an invalid MAC header. A remote attacker could exploit this by sending specially crafted IPv6 packets, potentially causing a system crash and leading to a Denial of Service (DoS).

A flaw was found in the Linux kernel's brcmfmac Wi-Fi driver. This vulnerability occurs because the driver fails to properly validate bsscfg indices in interface (IF) events. An attacker could exploit this by sending a specially crafted IF event with an invalid bsscfg index, which could lead to an out-of-bounds write or read, potentially causing a system crash and resulting in a denial of service (DoS).

A flaw was found in the `netfilter: ctnetlink` component of the Linux kernel. This vulnerability occurs due to insufficient locking when accessing the master conntrack object, allowing it to become invalid while still being referenced. A local attacker could potentially exploit this race condition, leading to a system crash and a denial of service.

A flaw was found in the Linux kernel's XFS filesystem. When adding extended attributes (xattrs), which are metadata associated with files, to leaf blocks, incorrect adjustments to the freemap can occur. This inconsistency allows the entries array and free space to overlap, leading to an assertion failure. A local user can exploit this to cause the filesystem to shut down, resulting in a Denial of Service (DoS).

A flaw was found in the Linux kernel, specifically within the netfilter: xt_tcpmss module. A remote attacker could exploit this vulnerability by sending a specially crafted TCP packet. The TCP option parser does not properly validate the remaining option length, which results in an out-of-bounds read. This allows an attacker to access memory beyond the intended buffer, potentially leading to information disclosure.

A flaw was found in the Linux kernel's memory management subsystem. When pages are freed, the page->private field is not properly cleared. If these pages are later reallocated as high-order pages and split, the tail pages can retain stale page->private values. This can lead to a use-after-free vulnerability in the swap subsystem, where incorrect assumptions about the page->private value can cause the system to crash.