Total
4140 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0671 | 2024-04-19 | N/A | N/A | ||
| Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Midgard GPU Kernel Driver: from r19p0 through r32p0; Bifrost GPU Kernel Driver: from r7p0 through r48p0; Valhall GPU Kernel Driver: from r19p0 through r48p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r48p0. | |||||
| CVE-2024-1065 | 2024-04-19 | N/A | N/A | ||
| Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r45p0 through r48p0; Valhall GPU Kernel Driver: from r45p0 through r48p0; Arm 5th Gen GPU Architecture Kernel Driver: from r45p0 through r48p0. | |||||
| CVE-2023-51780 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-04-19 | N/A | 7.0 HIGH |
| An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. | |||||
| CVE-2024-26598 | 1 Linux | 1 Linux Kernel | 2024-04-17 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. | |||||
| CVE-2022-48626 | 1 Linux | 1 Linux Kernel | 2024-04-17 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: moxart: fix potential use-after-free on remove path It was reported that the mmc host structure could be accessed after it was freed in moxart_remove(), so fix this by saving the base register of the device and using it instead of the pointer dereference. | |||||
| CVE-2023-52468 | 1 Linux | 1 Linux Kernel | 2024-04-17 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: class: fix use-after-free in class_register() The lock_class_key is still registered and can be found in lock_keys_hash hlist after subsys_private is freed in error handler path.A task who iterate over the lock_keys_hash later may cause use-after-free.So fix that up and unregister the lock_class_key before kfree(cp). On our platform, a driver fails to kset_register because of creating duplicate filename '/class/xxx'.With Kasan enabled, it prints a invalid-access bug report. KASAN bug report: BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252 Pointer tag: [15], memory tag: [fe] CPU: 7 PID: 252 Comm: modprobe Tainted: G W 6.6.0-mainline-maybe-dirty #1 Call trace: dump_backtrace+0x1b0/0x1e4 show_stack+0x2c/0x40 dump_stack_lvl+0xac/0xe0 print_report+0x18c/0x4d8 kasan_report+0xe8/0x148 __hwasan_store8_noabort+0x88/0x98 lockdep_register_key+0x19c/0x1bc class_register+0x94/0x1ec init_module+0xbc/0xf48 [rfkill] do_one_initcall+0x17c/0x72c do_init_module+0x19c/0x3f8 ... Memory state around the buggy address: ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe >ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access not use-after-free here.In this case, modprobe is manipulating the corrupted lock_keys_hash hlish where lock_class_key is already freed before. It's worth noting that this only can happen if lockdep is enabled, which is not true for normal system. | |||||
| CVE-2023-52469 | 1 Linux | 1 Linux Kernel | 2024-04-17 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. | |||||
| CVE-2019-25162 | 1 Linux | 1 Linux Kernel | 2024-04-17 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. [wsa: added comment to the code, added Fixes tag] | |||||
| CVE-2024-30378 | 2024-04-17 | N/A | 5.5 MEDIUM | ||
| A Use After Free vulnerability in command processing of Juniper Networks Junos OS on MX Series allows a local, authenticated attacker to cause the broadband edge service manager daemon (bbe-smgd) to crash upon execution of specific CLI commands, creating a Denial of Service (DoS) condition. The process crashes and restarts automatically. When specific CLI commands are executed, the bbe-smgd daemon attempts to write into an area of memory (mgd socket) that was already closed, causing the process to crash. This process manages and controls the configuration of broadband subscriber sessions and services. While the process is unavailable, additional subscribers will not be able to connect to the device, causing a temporary Denial of Service condition. This issue only occurs if Graceful Routing Engine Switchover (GRES) and Subscriber Management are enabled. This issue affects Junos OS: * All versions before 20.4R3-S5, * from 21.1 before 21.1R3-S4, * from 21.2 before 21.2R3-S3, * from 21.3 before 21.3R3-S5, * from 21.4 before 21.4R3-S5, * from 22.1 before 22.1R3, * from 22.2 before 22.2R3, * from 22.3 before 22.3R2; | |||||
| CVE-2024-30386 | 2024-04-15 | N/A | 5.3 MEDIUM | ||
| A Use-After-Free vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause l2ald to crash leading to a Denial-of-Service (DoS). In an EVPN-VXLAN scenario, when state updates are received and processed by the affected system, the correct order of some processing steps is not ensured, which can lead to an l2ald crash and restart. Whether the crash occurs depends on system internal timing which is outside the attackers control. This issue affects: Junos OS: * All versions before 20.4R3-S8, * 21.2 versions before 21.2R3-S6, * 21.3 versions before 21.3R3-S5, * 21.4 versions before 21.4R3-S4, * 22.1 versions before 22.1R3-S3, * 22.2 versions before 22.2R3-S1, * 22.3 versions before 22.3R3,, * 22.4 versions before 22.4R2; Junos OS Evolved: * All versions before 20.4R3-S8-EVO, * 21.2-EVO versions before 21.2R3-S6-EVO, * 21.3-EVO versions before 21.3R3-S5-EVO, * 21.4-EVO versions before 21.4R3-S4-EVO, * 22.1-EVO versions before 22.1R3-S3-EVO, * 22.2-EVO versions before 22.2R3-S1-EVO, * 22.3-EVO versions before 22.3R3-EVO, * 22.4-EVO versions before 22.4R2-EVO. | |||||
| CVE-2023-33074 | 1 Qualcomm | 120 Qam8255p, Qam8255p Firmware, Qam8295p and 117 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in Audio when SSR event is triggered after music playback is stopped. | |||||
| CVE-2023-33039 | 1 Qualcomm | 42 Qam8295p, Qam8295p Firmware, Qam8650p and 39 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in Automotive Display while destroying the image handle created using connected display driver. | |||||
| CVE-2023-33029 | 1 Qualcomm | 264 Apq8009, Apq8009 Firmware, Ar8035 and 261 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in DSP Service during a remote call from HLOS to DSP. | |||||
| CVE-2023-33021 | 1 Qualcomm | 336 Apq8064au, Apq8064au Firmware, Aqt1000 and 333 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in Graphics while processing user packets for command submission. | |||||
| CVE-2023-28577 | 1 Qualcomm | 62 Fastconnect 6800, Fastconnect 6800 Firmware, Fastconnect 6900 and 59 more | 2024-04-12 | N/A | 7.8 HIGH |
| In the function call related to CAM_REQ_MGR_RELEASE_BUF there is no check if the buffer is being used. So when a function called cam_mem_get_cpu_buf to get the kernel va to use, another thread can call CAM_REQ_MGR_RELEASE_BUF to unmap the kernel va which cause UAF of the kernel address. | |||||
| CVE-2023-21672 | 1 Qualcomm | 114 Fastconnect 6700, Fastconnect 6700 Firmware, Fastconnect 6900 and 111 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in Audio while running concurrent tunnel playback or during concurrent audio tunnel recording sessions. | |||||
| CVE-2022-33298 | 1 Qualcomm | 154 Aqt1000, Aqt1000 Firmware, Qca6310 and 151 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption due to use after free in Modem while modem initialization. | |||||
| CVE-2022-33292 | 1 Qualcomm | 16 Sg4150p, Sg4150p Firmware, Sm6225 and 13 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in Qualcomm IPC due to use after free while receiving the incoming packet and reposting it. | |||||
| CVE-2022-33263 | 1 Qualcomm | 98 Aqt1000, Aqt1000 Firmware, Qam8255p and 95 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption due to use after free in Core when multiple DCI clients register and deregister. | |||||
| CVE-2022-33245 | 1 Qualcomm | 144 Apq8064au, Apq8064au Firmware, Apq8096au and 141 more | 2024-04-12 | N/A | 7.8 HIGH |
| Memory corruption in WLAN due to use after free | |||||