VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
3486 advisories across 32 monitored vendors.
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix VM_BIND UNMAP locking Wrong argument meant that the objs involved in UNMAP ops were not always getting locked. Since _NO_SHARE objs share a common resv with the VM (which is always locked) this would only show up with non-_NO_SHARE BOs. Patchwork: https://patchwork.freedesktop.org/patch/713898/ A flaw was found in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the Qualcomm Adreno GPU (MSM) driver. This could potentially lead to unexpected system behavior or instability, particularly with non-shared buffer objects, impacting system reliability. Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-413. Red Hat lists Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9 as not affected.
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix af_unix null-ptr-deref in proto update unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`). sk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that socket is properly set up, which would include having a defined peer. IOW, there's a window when unix_stream_bpf_update_proto() can be called on socket which still has unix_peer(sk) == NULL. CPU0 bpf CPU1 connect -------- ------------ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED) sock_map_sk_state_allowed(sk) ... sk_pair = unix_peer(sk) sock_hold(sk_pair) sock_hold(newsk) smp_mb__after_atomic() unix_peer(sk) = newsk BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0 Call Trace: sock_map_link+0x564/0x8b0 sock_map_update_common+0x6e/0x340 sock_map_update_elem_sys+0x17d/0x240 __sys_bpf+0x26db/0x3250 __x64_sys_bpf+0x21/0x30 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Initial idea was to move peer assignment _before_ the sk_state update[1], but that involved an additional memory barrier, and changing the hot path was rejected.
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix off-by-one in check_imm signed range check check_imm(bits, imm) is used in the arm64 BPF JIT to verify that a branch displacement (in arm64 instruction units) fits into the signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding before it is handed to the encoder. The macro currently tests for (imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check admits one extra bit of range on each side. In particular, for check_imm19(), values in [2^18, 2^19) slip past the check but do not fit into the 19-bit signed imm19 field of B.cond. aarch64_insn_encode_immediate() then masks the raw value into the 19-bit field, setting bit 18 (the sign bit) and flipping a forward branch into a backward one. Same class of issue exists for check_imm26() and the B/BL encoding. Shift by (bits - 1) instead of bits so the actual signed N-bit range is enforced. Specifically, an off-by-one error exists in the BPF (Berkeley Packet Filter) JIT (Just-In-Time) compiler when handling immediate values for branch instructions on ARM64 architectures. This vulnerability allows the system to process values outside their intended range, which can lead to incorrect program execution flow.
In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in __ceph_x_decrypt() In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic. This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header. A remote attacker could trigger an out-of-bounds memory access in the `__ceph_x_decrypt()` function by sending a specially crafted message frame of type `FRAME_TAG_AUTH_REPLY_MORE` with a small ciphertext length. This vulnerability arises because the function interprets a buffer as a `ceph_x_encrypt_header` without ensuring the buffer is large enough.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Drop all SCM attributes for SOCKMAP. SOCKMAP can hide inflight fd from AF_UNIX GC. When a socket in SOCKMAP receives skb with inflight fd, sk_psock_verdict_data_ready() looks up the mapped socket and enqueue skb to its psock->ingress_skb. Since neither the old nor the new GC can inspect the psock queue, the hidden skb leaks the inflight sockets. Note that this cannot be detected via kmemleak because inflight sockets are linked to a global list. In addition, SOCKMAP redirect breaks the Tarjan-based GC's assumption that unix_edge.successor is always alive, which is no longer true once skb is redirected, resulting in use-after-free below. [0] Moreover, SOCKMAP does not call scm_stat_del() properly, so unix_show_fdinfo() could report an incorrect fd count. sk_msg_recvmsg() does not support any SCM attributes in the first place. A flaw was found in the Linux kernel's af_unix component, specifically within its SOCKMAP feature. This vulnerability stems from the kernel's improper handling of Socket Control Message (SCM) attributes when data is passed to the SOCKMAP layer. This can lead to a use-after-free condition, which may allow an attacker to cause system instability or a denial of service. The issue also contributes to resource leaks of file descriptors and inaccurate reporting of file descriptor counts.
don't use simple_strtoul. Red Hat rates this moderate (CVSS 7). Weakness: CWE-170.
fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER. Red Hat rates this moderate (CVSS 7). Weakness: CWE-364.
fix missing expect put in obj eval. Red Hat rates this moderate (CVSS 7). Weakness: CWE-772.
fix refcount saturation and potential UAF in qrtr_port_remove. Red Hat rates this moderate (CVSS 7). Weakness: CWE-911.
Fix potential use-after-free in get_timestamp. Red Hat rates this moderate (CVSS 7). Weakness: CWE-825.
Clear HCI_UART_PROTO_INIT on error. Red Hat rates this moderate (CVSS 7). Weakness: CWE-825.
fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg. Red Hat rates this moderate (CVSS 7). Weakness: CWE-911.
IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload. Red Hat rates this moderate (CVSS 7.5). Weakness: CWE-347.
IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload. Red Hat rates this moderate (CVSS 7.5). Weakness: CWE-347.
IKEv2 Denial of Service via malformed fragmentation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-193.
Uninitialized Use in GPU. Red Hat rates this important (CVSS 5.3). Weakness: CWE-824.
Insufficient validation of untrusted input in Navigation. Red Hat rates this important (CVSS 5.8). Weakness: CWE-1286.
Information disclosure via path traversal in LaTeX backend. Red Hat rates this moderate (CVSS 5.5). Weakness: CWE-22.
Denial of Service due to infinite loop in AtomicReference#update. Red Hat rates this moderate (CVSS 5.9). Weakness: CWE-835.
Incorrect write lock granting leading to broken mutual exclusion. Red Hat rates this low (CVSS 4.7). Weakness: CWE-190.