Linux versions 4.20 and above have an issue where ktls writes into spliced readonly pages.
c8a387c3d377fb9915457e6c2add6c04bc585011d822e7f419d1a632b108342dLinux suffers from an io_uring use-after-free vulnerability due to broken unix GC interaction.
f69e0977a025727662a99855b4620c72daf61a181fc942af121b5a2aba667456Linux versions 6.4 and above suffer from an io_uring page use-after-free vulnerability via buffer ring mmap.
bdd56a2cf8ae5ffb5b1e0cf855da69a640ead67ed0ab5559b57abc88c22cd6f9__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.
36027428c2c544777c9a58e5240c8a00ac64b96a28b3c1c2a02ca9c040ca0b42Arm Mali CSF has a refcount overflow bugfix in r43p0 that was misclassified as a memory leak fix.
05a93b8780cfb3ee2e1142acedfd65b47dbf3a86e2c48f3c8256e45ceaf5837bARM Mali r44p0 suffers from a use-after-free vulnerability by freeing waitqueue with elements on it.
4fea6948aa6c6c134d3f0e82d4d907da692a000feadff0b07880f486048867a4PowerVR suffers from a multitude of memory management bugs including out-of-bounds access and information leakage.
c135dd9da4f49945f6ffab49beafba001bf366477d6ac30866c7fd5a8b312a8eLinux suffers from a small remote binary information leak in DCCP.
8f509db352a5daf100520971c2666cea99bc2b733614a6fbd107c438f44733beThe Linux 6.4 kernel suffers from a use-after-free condition due to per-VMA locks that introduce a race between page fault and MREMAP_DONTUNMAP.
3d39c971dd3c9a3c68ba92f6935c1ac85bc812d562760cadb42454ab84afcb68There is a race between mbind() and VMA-locked page faults in the Linux 6.4 kernel, leading to a use-after-free condition.
78b0a4905933278287d325ebef0bf5c144a4c579eaaf4874daf17a797f5aa2b7Qualcomm Adreno/KGSL suffers from an issue where code in user-writable mapping is executed in non-protected mode.
795d9bc48251143119585b455550c6ef9db1db6cead5a6bfba90baa195ff4c43On Qualcomm Adreno/KGSL builds where CONFIG_QCOM_KGSL_USE_SHMEM is not set (or on older KGSL versions without CONFIG_QCOM_KGSL_USE_SHMEM), KGSL allocates GPU-shared memory from its own page pool. Pages from this pool are inserted into VMAs that don't have any weird flags like VM_PFNMAP set, which means userspace can grab extra references to these pages through get_user_pages() (for example, using vmsplice()). But when GPU-shared memory is freed, KGSL puts the freed pages into its own page pool without checking the page refcount. This means that pages that are still accessible from userspace can be reallocated as GPU memory by another process.
912899972d766ddbe72f5a9e3255c982b1f4d47a09b7d4e6f29f8440583aa47cQualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().
607fa965d699b8530e3007ef7ceaca726a5ef18f66dd831e4ec632ad32adcccdQualcomm Adreno/KGSL suffers from an issue where secure buffers are addressable by all GPU users. Qualcomm believes this finding has no security impact and will not address it.
d9b987714309cbf4e6d06626329557ab19e9a3e5c17b45b14e62e612bd881e23wfc-pkt-router suffers from a vulnerability where it can wrongly bind to an external network interface instead of the VPN tunnel.
03509814b094fdcb874430f7b5654f15f7ca1ccdd20e1463ac75f2a0d6edef4cCentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.
ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69eThe kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.
a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.
a79f67a4ff4419f1ee030e5d31da09ffc097f7a7aff75a313677c344131a2bc4Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.
52bdc4d424513850282af302704976ef18a76f8dae3b5f71cf887f9e9577e262kbase_csf_kcpu_queue_enqueue() locks the kctx->csf.kcpu_queues, looks up a pointer from inside that structure, then drops the lock before continuing to use the kbase_kcpu_command_queue that was looked up. This is a classic use-after-free pattern, where the lookup of a pointer is protected but the protective lock is then released without first acquiring any other lock or reference to keep the referenced object alive.
4fd61c0109d183f3b2a909d608ec4f7ebeb118f98b4d057a01a280c10f5a5339Arm Mali suffers from an insufficient cache invalidation for non-page-aligned user buffer imports.
1cc19cb79a91228a44e5c6196c91a498b37c74f153ea14e278fe6327355cc218Android Binder VMA management suffers from multiple security issues.
ab667a607662e113616863f74924dec25552f0f3627b28b830dcd1cef1dc0df9khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.
4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.
07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.
b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed