The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c (CVE-2017-18017)
kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c (CVE-2019-17133)
In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure. (CVE-2016-10741)
Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU. (CVE-2016-2069)
The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.
(CVE-2016-2184)
The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-2185)
The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-2186)
The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. (CVE-2016-2543)
Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time. (CVE-2016-2544)
The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call. (CVE-2016-2545)
sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call. (CVE-2016-2546)
sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after- free, and system crash) via a crafted ioctl call. (CVE-2016-2547)
The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312. (CVE-2016-2550)
fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes. (CVE-2016-2847)
The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3134)
The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor. (CVE-2016-3138)
The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3139)
The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)
The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses. (CVE-2016-3156)
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context- switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.
(CVE-2016-3157)
The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)
Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor. (CVE-2016-3951)
The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. (CVE-2016-4482)
The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. (CVE-2016-4486)
The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)
sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.
(CVE-2016-4578)
The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request. (CVE-2016-4580)
The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.
(CVE-2016-4913)
The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a certain structure member, which allows remote attackers to obtain sensitive information from kernel stack memory by reading an RDS message. (CVE-2016-5244)
Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829)
Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain length value, aka a double fetch vulnerability. (CVE-2016-6130)
Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)
The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042)
The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. (CVE-2016-7097)
The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)
The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out- of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver. (CVE-2016-7915)
An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010. (CVE-2016-8405)
Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.
(CVE-2016-9685)
Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. (CVE-2016-9794)
An information disclosure vulnerability in the kernel UVC driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18.
Android ID: A-33300353. (CVE-2017-0627)
An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18.
Android ID: A-34277115. (CVE-2017-0630)
Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors. (CVE-2017-0861)
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems. (CVE-2017-1000370)
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary’s read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5.
This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems. (CVE-2017-1000371)
sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
(CVE-2017-1000380)
Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 3.2 allows local users to gain privileges via a crafted ACPI table. (CVE-2017-11473)
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page.
The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition. (CVE-2017-12190)
In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree. (CVE-2017-12762)
An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions:
Android kernel. Android ID A-34624167. (CVE-2017-13166)
An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993. (CVE-2017-13167)
The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-13693)
The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-13694)
The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-13695)
An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access. (CVE-2017-14051)
The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn’t check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. (CVE-2017-14140)
The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.
(CVE-2017-15102)
security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192. (CVE-2017-15274)
The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16532)
The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16534)
The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16536)
The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16537)
The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16644)
drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16646)
drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16647)
The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16649)
The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16650)
The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)
The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task’s default request-key keyring via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
(CVE-2017-17807)
drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated. (CVE-2017-18079)
In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates. (CVE-2017-18360)
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure. (CVE-2017-18550)
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)
The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log. (CVE-2017-5549)
The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. (CVE-2017-5551)
Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. (CVE-2017-5986)
The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices. (CVE-2017-6348)
The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket. (CVE-2017-7542)
Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (CVE-2017-7616)
The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c. (CVE-2017-7889)
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. (CVE-2017-8890)
The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow. (CVE-2017-8924)
The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
(CVE-2017-8925)
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. (CVE-2017-9074)
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9075)
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9076)
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9077)
In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition. (CVE-2018-1000004)
The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls. (CVE-2018-10675)
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image. (CVE-2018-10840)
It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. (CVE-2018-10902)
The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)
The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. (CVE-2018-10940)
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process’s memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120)
Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130)
In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko.
This can occur during a mount of a crafted hfs filesystem. (CVE-2018-12928)
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.
(CVE-2018-14617)
drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free). (CVE-2018-14734)
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace- userspace spectreRSB attacks. (CVE-2018-15572)
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. (CVE-2018-16658)
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7. (CVE-2018-16885)
The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.
(CVE-2018-17977)
An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658. (CVE-2018-18710)
An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
(CVE-2018-20169)
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)
In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference. (CVE-2018-5333)
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. (CVE-2018-5390)
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size. (CVE-2018-5391)
In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
_sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash. (CVE-2018-5803)
The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. (CVE-2018-6927)
In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343. (CVE-2018-7191)
A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST. (CVE-2018-7492)
Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)
In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580. (CVE-2018-9516)
In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References:
Upstream kernel. (CVE-2018-9568)
A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. (CVE-2019-10126)
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e. (CVE-2019-11478)
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363. (CVE-2019-11479)
The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)
An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c.
This causes a Denial of Service, related to a use-after-free. (CVE-2019-11810)
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. (CVE-2019-11833)
The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a ‘\0’ character. (CVE-2019-11884)
An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5.
There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL (CVE-2019-12381)
An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free.
This will cause a denial of service. (CVE-2019-12819)
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0. (CVE-2019-12881)
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages. (CVE-2019-13631)
In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)
In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14283)
In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14284)
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel’s KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer ‘struct kvm_coalesced_mmio’ object, wherein write indices ‘ring->first’ and ‘ring->last’ value could be supplied by a host user-space process. An unprivileged host user or process with access to ‘/dev/kvm’ device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. (CVE-2019-14821)
The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
(CVE-2019-14898)
check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. (CVE-2019-15118)
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)
An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c. (CVE-2019-15214)
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (CVE-2019-15219)
An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)
An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)
An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver. (CVE-2019-15222)
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver. (CVE-2019-15223)
An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation. (CVE-2019-15666)
In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)
An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)
An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c. (CVE-2019-15921)
An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a pf data structure if alloc_disk fails in drivers/block/paride/pf.c. (CVE-2019-15922)
An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a cd data structure if alloc_disk fails in drivers/block/paride/pf.c. (CVE-2019-15923)
drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely (CVE-2019-16230)
drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16234)
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
(CVE-2019-16413)
In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.
(CVE-2019-16714)
In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)
The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code. (CVE-2019-18282)
The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)
The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation. (CVE-2019-18675)
An issue was discovered in the Linux kernel 4.4.x before 4.4.195. There is a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service, aka CID-91573ae4aed0.
(CVE-2019-18680)
A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. (CVE-2019-18806)
fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15. (CVE-2019-18885)
A memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6d0183d5. (CVE-2019-19047)
A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)
A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred (CVE-2019-19055)
A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID- db8fd2cde932. (CVE-2019-19056)
A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)
Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)
A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)
Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)
A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)
A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy to udata failures, aka CID-4a9d46a9fe14. (CVE-2019-19077)
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has ‘TSX’ enabled. Confidentiality of data is the highest threat associated with this vulnerability.
(CVE-2019-19338)
In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c. (CVE-2019-19377)
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid- axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid- tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)
In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464. (CVE-2019-19533)
In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)
In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace (CVE-2019-19770)
kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.) (CVE-2019-19922)
In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)
In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.
(CVE-2019-19966)
mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)
In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-119769499 (CVE-2019-2054)
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
(CVE-2019-20811)
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c. (CVE-2019-20934)
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. (CVE-2019-3459)
It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread- unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash the host leading to a denial-of-service or cause a random memory corruption. (CVE-2019-3837)
A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS). (CVE-2019-3896)
An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)
In the Android kernel in unifi and r8180 WiFi drivers there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9270)
In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)
In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153467744 (CVE-2020-0305)
In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459 (CVE-2020-0431)
In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150693166References: Upstream kernel (CVE-2020-0444)
Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. (CVE-2020-10135)
A flaw was found in the Linux kernel’s implementation of GRO in versions before 5.2. This flaw allows an attacker with local access to crash the system. (CVE-2020-10720)
A flaw was found in the Linux kernel’s implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.
(CVE-2020-10732)
A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)
A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm’s module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. (CVE-2020-10769)
A stack information leak flaw was found in s390/s390x in the Linux kernel’s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data. (CVE-2020-10773)
A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable. (CVE-2020-10781)
An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d. (CVE-2020-11608)
An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1.
drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93. (CVE-2020-11609)
A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)
usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)
The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power. (CVE-2020-12652)
An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.
Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. (CVE-2020-12655)
gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug (CVE-2020-12656)
An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)
A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)
A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.
(CVE-2020-14314)
A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14351)
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage (CVE-2020-14353)
A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of- bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)
In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c. (CVE-2020-14416)
In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770. (CVE-2020-15393)
The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)
A flaw was found in the Linux kernel’s implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn’t correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
(CVE-2020-24586)
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that the A-MSDU flag in the plaintext QoS header field is authenticated.
Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)
In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
(CVE-2020-25211)
A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)
A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812. (CVE-2020-25285)
A flaw was found in the Linux kernel’s implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25641)
A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version (CVE-2020-25705)
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
(CVE-2020-27673)
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x.
drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5. (CVE-2020-27675)
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)
A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free(). (CVE-2020-27784)
A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27815)
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85. (CVE-2020-28097)
A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)
A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem (CVE-2020-35501)
mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
(CVE-2020-36158)
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c. (CVE-2020-8648)
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 (The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.) was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this vulnerability to expose sensitive information. (CVE-2020-8832)
An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)
A flaw was found in the Linux kernel’s implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the system. Kernel before kernel 5.5-rc1 is affected. (CVE-2021-20177)
A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.
(CVE-2021-20219)
A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality. (CVE-2021-20239)
A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
(CVE-2021-20261)
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well. (CVE-2021-20322)
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)
nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after- free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)
A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3411)
A flaw was found in the Routing decision classifier in the Linux kernel’s Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
A flaw was found in the Linux kernel’s OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible. (CVE-2021-3732)
A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)
net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in any net namespace because these changes are leaked into all other net namespaces. This is related to the NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. (CVE-2021-3894)
A vulnerability was found in the Linux kernel’s EBPF verifier when handling internal data structures.
Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. (CVE-2021-4159)
A flaw was found in the Linux kernel’s implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects. (CVE-2022-2938)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory kernel. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195722);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/13");
script_cve_id(
"CVE-2016-2069",
"CVE-2016-2184",
"CVE-2016-2185",
"CVE-2016-2186",
"CVE-2016-2543",
"CVE-2016-2544",
"CVE-2016-2545",
"CVE-2016-2546",
"CVE-2016-2547",
"CVE-2016-2550",
"CVE-2016-2847",
"CVE-2016-3134",
"CVE-2016-3138",
"CVE-2016-3139",
"CVE-2016-3140",
"CVE-2016-3156",
"CVE-2016-3157",
"CVE-2016-3672",
"CVE-2016-3951",
"CVE-2016-4482",
"CVE-2016-4486",
"CVE-2016-4569",
"CVE-2016-4578",
"CVE-2016-4580",
"CVE-2016-4913",
"CVE-2016-5244",
"CVE-2016-5829",
"CVE-2016-6130",
"CVE-2016-6480",
"CVE-2016-7042",
"CVE-2016-7097",
"CVE-2016-7425",
"CVE-2016-7915",
"CVE-2016-8405",
"CVE-2016-9685",
"CVE-2016-9794",
"CVE-2016-10741",
"CVE-2017-0627",
"CVE-2017-0630",
"CVE-2017-0861",
"CVE-2017-5549",
"CVE-2017-5551",
"CVE-2017-5986",
"CVE-2017-6348",
"CVE-2017-7542",
"CVE-2017-7616",
"CVE-2017-7889",
"CVE-2017-8890",
"CVE-2017-8924",
"CVE-2017-8925",
"CVE-2017-9074",
"CVE-2017-9075",
"CVE-2017-9076",
"CVE-2017-9077",
"CVE-2017-11473",
"CVE-2017-12190",
"CVE-2017-12762",
"CVE-2017-13166",
"CVE-2017-13167",
"CVE-2017-13693",
"CVE-2017-13694",
"CVE-2017-13695",
"CVE-2017-14051",
"CVE-2017-14140",
"CVE-2017-15102",
"CVE-2017-15274",
"CVE-2017-16532",
"CVE-2017-16534",
"CVE-2017-16536",
"CVE-2017-16537",
"CVE-2017-16644",
"CVE-2017-16646",
"CVE-2017-16647",
"CVE-2017-16649",
"CVE-2017-16650",
"CVE-2017-17558",
"CVE-2017-17807",
"CVE-2017-18017",
"CVE-2017-18079",
"CVE-2017-18360",
"CVE-2017-18550",
"CVE-2017-18551",
"CVE-2017-1000370",
"CVE-2017-1000371",
"CVE-2017-1000380",
"CVE-2018-1092",
"CVE-2018-1120",
"CVE-2018-1130",
"CVE-2018-3665",
"CVE-2018-5333",
"CVE-2018-5390",
"CVE-2018-5391",
"CVE-2018-5803",
"CVE-2018-6927",
"CVE-2018-7191",
"CVE-2018-7492",
"CVE-2018-7757",
"CVE-2018-9516",
"CVE-2018-9568",
"CVE-2018-10675",
"CVE-2018-10840",
"CVE-2018-10902",
"CVE-2018-10940",
"CVE-2018-12928",
"CVE-2018-13405",
"CVE-2018-14617",
"CVE-2018-14734",
"CVE-2018-15572",
"CVE-2018-16658",
"CVE-2018-16885",
"CVE-2018-17977",
"CVE-2018-18710",
"CVE-2018-20169",
"CVE-2018-1000004",
"CVE-2019-2054",
"CVE-2019-3459",
"CVE-2019-3837",
"CVE-2019-3846",
"CVE-2019-3896",
"CVE-2019-5108",
"CVE-2019-9270",
"CVE-2019-9458",
"CVE-2019-10126",
"CVE-2019-11478",
"CVE-2019-11479",
"CVE-2019-11599",
"CVE-2019-11810",
"CVE-2019-11833",
"CVE-2019-11884",
"CVE-2019-12381",
"CVE-2019-12819",
"CVE-2019-12881",
"CVE-2019-13631",
"CVE-2019-13648",
"CVE-2019-14283",
"CVE-2019-14284",
"CVE-2019-14821",
"CVE-2019-14898",
"CVE-2019-15118",
"CVE-2019-15212",
"CVE-2019-15214",
"CVE-2019-15215",
"CVE-2019-15219",
"CVE-2019-15220",
"CVE-2019-15221",
"CVE-2019-15222",
"CVE-2019-15223",
"CVE-2019-15666",
"CVE-2019-15807",
"CVE-2019-15916",
"CVE-2019-15921",
"CVE-2019-15922",
"CVE-2019-15923",
"CVE-2019-16230",
"CVE-2019-16234",
"CVE-2019-16413",
"CVE-2019-16714",
"CVE-2019-16994",
"CVE-2019-17133",
"CVE-2019-18282",
"CVE-2019-18660",
"CVE-2019-18675",
"CVE-2019-18680",
"CVE-2019-18806",
"CVE-2019-18885",
"CVE-2019-19047",
"CVE-2019-19054",
"CVE-2019-19055",
"CVE-2019-19056",
"CVE-2019-19058",
"CVE-2019-19059",
"CVE-2019-19062",
"CVE-2019-19063",
"CVE-2019-19066",
"CVE-2019-19077",
"CVE-2019-19338",
"CVE-2019-19377",
"CVE-2019-19532",
"CVE-2019-19533",
"CVE-2019-19537",
"CVE-2019-19770",
"CVE-2019-19922",
"CVE-2019-19965",
"CVE-2019-19966",
"CVE-2019-20095",
"CVE-2019-20811",
"CVE-2019-20812",
"CVE-2019-20934",
"CVE-2020-0305",
"CVE-2020-0431",
"CVE-2020-0444",
"CVE-2020-1749",
"CVE-2020-8647",
"CVE-2020-8648",
"CVE-2020-8649",
"CVE-2020-8832",
"CVE-2020-9383",
"CVE-2020-10135",
"CVE-2020-10720",
"CVE-2020-10732",
"CVE-2020-10751",
"CVE-2020-10769",
"CVE-2020-10773",
"CVE-2020-10781",
"CVE-2020-11608",
"CVE-2020-11609",
"CVE-2020-12114",
"CVE-2020-12464",
"CVE-2020-12652",
"CVE-2020-12655",
"CVE-2020-12656",
"CVE-2020-12770",
"CVE-2020-12826",
"CVE-2020-14314",
"CVE-2020-14331",
"CVE-2020-14351",
"CVE-2020-14353",
"CVE-2020-14390",
"CVE-2020-14416",
"CVE-2020-15393",
"CVE-2020-16166",
"CVE-2020-24586",
"CVE-2020-24587",
"CVE-2020-24588",
"CVE-2020-25211",
"CVE-2020-25212",
"CVE-2020-25285",
"CVE-2020-25641",
"CVE-2020-25705",
"CVE-2020-26139",
"CVE-2020-26140",
"CVE-2020-26141",
"CVE-2020-26143",
"CVE-2020-26144",
"CVE-2020-26145",
"CVE-2020-26146",
"CVE-2020-26147",
"CVE-2020-27673",
"CVE-2020-27675",
"CVE-2020-27777",
"CVE-2020-27784",
"CVE-2020-27815",
"CVE-2020-28097",
"CVE-2020-28915",
"CVE-2020-28974",
"CVE-2020-35501",
"CVE-2020-36158",
"CVE-2021-3348",
"CVE-2021-3411",
"CVE-2021-3715",
"CVE-2021-3732",
"CVE-2021-3772",
"CVE-2021-3894",
"CVE-2021-4159",
"CVE-2021-20177",
"CVE-2021-20219",
"CVE-2021-20239",
"CVE-2021-20261",
"CVE-2021-20322",
"CVE-2021-31916",
"CVE-2021-38209",
"CVE-2022-2938"
);
script_xref(name:"IAVA", value:"2018-A-0174-S");
script_xref(name:"CEA-ID", value:"CEA-2020-0138");
script_xref(name:"CEA-ID", value:"CEA-2019-0456");
script_name(english:"RHEL 5 : kernel (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c
(CVE-2017-18017)
- kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c (CVE-2019-17133)
- In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service
(system crash) because there is a race condition between direct and memory-mapped I/O (associated with a
hole) that is handled with BUG_ON instead of an I/O failure. (CVE-2016-10741)
- Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges
by triggering access to a paging structure by a different CPU. (CVE-2016-2069)
- The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux
kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer
dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.
(CVE-2016-2184)
- The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows
physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor. (CVE-2016-2185)
- The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows
physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor. (CVE-2016-2186)
- The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before
4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to
cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. (CVE-2016-2543)
- Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1
allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call
at a certain time. (CVE-2016-2544)
- The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly
maintain a certain linked list, which allows local users to cause a denial of service (race condition and
system crash) via a crafted ioctl call. (CVE-2016-2545)
- sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local
users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl
call. (CVE-2016-2546)
- sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider
slave timer instances, which allows local users to cause a denial of service (race condition, use-after-
free, and system crash) via a crafted ioctl call. (CVE-2016-2547)
- The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of
service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each
descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect
fix for CVE-2013-4312. (CVE-2016-2550)
- fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows
local users to cause a denial of service (memory consumption) by creating many pipes with non-default
sizes. (CVE-2016-2847)
- The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which
allows local users to gain privileges or cause a denial of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3134)
- The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically
proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB
device without both a control and a data endpoint descriptor. (CVE-2016-3138)
- The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows
physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash)
via a crafted endpoints value in a USB device descriptor. (CVE-2016-3139)
- The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1
allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system
crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)
- The IPv4 implementation in the Linux kernel before 4.5.2 mishandles destruction of device objects, which
allows guest OS users to cause a denial of service (host OS networking outage) by arranging for a large
number of IP addresses. (CVE-2016-3156)
- The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-
switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial
of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.
(CVE-2016-3157)
- The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not
properly randomize the legacy base address, which makes it easier for local users to defeat the intended
restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or
setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)
- Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically
proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact
by inserting a USB device with an invalid USB descriptor. (CVE-2016-3951)
- The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel through 4.6 does not
initialize a certain data structure, which allows local users to obtain sensitive information from kernel
stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call. (CVE-2016-4482)
- The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not
initialize a certain data structure, which allows local users to obtain sensitive information from kernel
stack memory by reading a Netlink message. (CVE-2016-4486)
- The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not
initialize a certain data structure, which allows local users to obtain sensitive information from kernel
stack memory via crafted use of the ALSA timer interface. (CVE-2016-4569)
- sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which
allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA
timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.
(CVE-2016-4578)
- The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does
not properly initialize a certain data structure, which allows attackers to obtain sensitive information
from kernel stack memory via an X.25 Call Request. (CVE-2016-4580)
- The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM
(aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive
information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.
(CVE-2016-4913)
- The rds_inc_info_copy function in net/rds/recv.c in the Linux kernel through 4.6.3 does not initialize a
certain structure member, which allows remote attackers to obtain sensitive information from kernel stack
memory by reading an RDS message. (CVE-2016-5244)
- Multiple heap-based buffer overflows in the hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in
the Linux kernel through 4.6.3 allow local users to cause a denial of service or possibly have unspecified
other impact via a crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. (CVE-2016-5829)
- Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel
before 4.6 allows local users to obtain sensitive information from kernel memory by changing a certain
length value, aka a double fetch vulnerability. (CVE-2016-6130)
- Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel
through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by
changing a certain size value, aka a double fetch vulnerability. (CVE-2016-6480)
- The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU
Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout
data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading
the /proc/keys file. (CVE-2016-7042)
- The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr
call, which allows local users to gain group privileges by leveraging the existence of a setgid program
with restrictions on execute permissions. (CVE-2016-7097)
- The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2
does not restrict a certain length field, which allows local users to gain privileges or cause a denial of
service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)
- The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically
proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-
of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver. (CVE-2016-7915)
- An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB
driver and networking subsystem could enable a local malicious application to access data outside of its
permission levels. This issue is rated as Moderate because it first requires compromising a privileged
process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010. (CVE-2016-8405)
- Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow
local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.
(CVE-2016-9685)
- Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the
Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have
unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. (CVE-2016-9794)
- An information disclosure vulnerability in the kernel UVC driver could enable a local malicious
application to access data outside of its permission levels. This issue is rated as Moderate because it
first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18.
Android ID: A-33300353. (CVE-2017-0627)
- An information disclosure vulnerability in the kernel trace subsystem could enable a local malicious
application to access data outside of its permission levels. This issue is rated as Moderate because it
first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18.
Android ID: A-34277115. (CVE-2017-0630)
- Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows
attackers to gain privileges via unspecified vectors. (CVE-2017-0861)
- The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be
execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000
and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This
affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This
issue appears to be limited to i386 based systems. (CVE-2017-1000370)
- The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to
RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack
will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance
between the end of the PIE binary's read-write segment and the start of the stack becomes small enough
that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5.
This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to
i386 based systems. (CVE-2017-1000371)
- sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA
/dev/snd/timer driver resulting in local users being able to read information belonging to other users,
i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
(CVE-2017-1000380)
- Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux
kernel through 3.2 allows local users to gain privileges via a crafted ACPI table. (CVE-2017-11473)
- The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do
unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page.
The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a
memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk
is passed through to a virtual machine) due to an out-of-memory condition. (CVE-2017-12190)
- In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size
using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel
4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree. (CVE-2017-12762)
- An elevation of privilege vulnerability in the kernel v4l2 video driver. Product: Android. Versions:
Android kernel. Android ID A-34624167. (CVE-2017-13166)
- An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android
kernel. Android ID A-37240993. (CVE-2017-13167)
- The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9
does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain
sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through
4.9) via a crafted ACPI table. (CVE-2017-13693)
- The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through
4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local
users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the
kernel through 4.9) via a crafted ACPI table. (CVE-2017-13694)
- The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does
not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive
information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a
crafted ACPI table. (CVE-2017-13695)
- An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in
the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and
system crash) by leveraging root access. (CVE-2017-14051)
- The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective
uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable
despite ASLR. (CVE-2017-14140)
- The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local
users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a
write-what-where condition that occurs after a race condition and a NULL pointer dereference.
(CVE-2017-15102)
- security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in
conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL
pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than
CVE-2017-12192. (CVE-2017-15274)
- The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local
users to cause a denial of service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16532)
- The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows
local users to cause a denial of service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16534)
- The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via a crafted USB device. (CVE-2017-16536)
- The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users
to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16537)
- The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11
allows local users to cause a denial of service (improper error handling and system crash) or possibly
have unspecified other impact via a crafted USB device. (CVE-2017-16644)
- drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to
cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted
USB device. (CVE-2017-16646)
- drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a
crafted USB device. (CVE-2017-16647)
- The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11
allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16649)
- The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local
users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16650)
- The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux
kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before
attempting to release resources, which allows local users to cause a denial of service (out-of-bounds
write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)
- The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to
the current task's default request-key keyring via the request_key() system call, allowing a local user
to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write
permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
(CVE-2017-17807)
- drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of
service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the
port->exists value can change after it is validated. (CVE-2017-18079)
- In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could
cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud
rates. (CVE-2017-18360)
- An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is
potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo
structure. (CVE-2017-18550)
- An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an
out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)
- The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5
places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which
allows local users to obtain sensitive information by reading the log. (CVE-2017-5549)
- The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit
during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by
leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2016-7097. (CVE-2017-5551)
- Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11
allows local users to cause a denial of service (assertion failure and panic) via a multithreaded
application that peels off an association in a certain buffer-full state. (CVE-2017-5986)
- The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages
lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on
IrDA devices. (CVE-2017-6348)
- The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local
users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open
a raw socket. (CVE-2017-7542)
- Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux
kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by
triggering failure of a certain bitmap operation. (CVE-2017-7616)
- The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to kernel memory locations in the first
megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file,
related to arch/x86/mm/init.c and drivers/char/mem.c. (CVE-2017-7889)
- The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15
allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by
leveraging use of the accept system call. (CVE-2017-8890)
- The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows
local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel
memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer
underflow. (CVE-2017-8924)
- The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local
users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling.
(CVE-2017-8925)
- The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the
nexthdr field may be associated with an invalid option, which allows local users to cause a denial of
service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send
system calls. (CVE-2017-9074)
- The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles
inheritance, which allows local users to cause a denial of service or possibly have unspecified other
impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9075)
- The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles
inheritance, which allows local users to cause a denial of service or possibly have unspecified other
impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9076)
- The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles
inheritance, which allows local users to cause a denial of service or possibly have unspecified other
impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9077)
- In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in
the sound system, this can lead to a deadlock and denial of service condition. (CVE-2018-1000004)
- The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to
cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system
calls. (CVE-2018-10675)
- Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry()
function. An attacker could exploit this by operating on a mounted crafted ext4 image. (CVE-2018-10840)
- It was found that the raw midi kernel driver does not protect against concurrent access which leads to a
double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part
of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for
privilege escalation. (CVE-2018-10902)
- The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a
root directory with a zero i_links_count, which allows attackers to cause a denial of service
(ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)
- The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows
local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out
kernel memory. (CVE-2018-10940)
- A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a
process's memory containing command line arguments (or environment strings), an attacker can cause
utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the
/proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some
controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120)
- Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit()
function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of
certain crafted system calls. (CVE-2018-1130)
- In the Linux kernel 4.15.0, a NULL pointer dereference was discovered in hfs_ext_read_extent in hfs.ko.
This can occur during a mount of a crafted hfs filesystem. (CVE-2018-12928)
- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create
files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and
is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a
plain file whose group ownership is that group. The intended behavior was that the non-member can trigger
creation of a directory (but not a plain file) whose group ownership is that group. The non-member can
escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
- An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic
in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+
filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.
(CVE-2018-14617)
- drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a
certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial
of service (use-after-free). (CVE-2018-14734)
- The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1
does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-
userspace spectreRSB attacks. (CVE-2018-15572)
- An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status
in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from
unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. (CVE-2018-16658)
- A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar
functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in
certain cases causing a memory access fault and a system halt by accessing invalid memory address. This
issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7. (CVE-2018-16885)
- The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets,
and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and
system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7.
(CVE-2018-17977)
- An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc
in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from
unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and
CVE-2018-16658. (CVE-2018-18710)
- An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during
the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
(CVE-2018-20169)
- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)
- In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where
page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer
dereference. (CVE-2018-5333)
- Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and
tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. (CVE-2018-5390)
- The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially
modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by
sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered
and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel
with the increase of the IP fragment reassembly queue size. (CVE-2018-5391)
- In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
_sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be
exploited to cause a kernel crash. (CVE-2018-5803)
- The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to
cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a
negative wake or requeue value. (CVE-2018-6927)
- In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before
register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and
panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to
CVE-2013-4343. (CVE-2018-7191)
- A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel
before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to
RDS_GET_MR and RDS_GET_MR_FOR_DEST. (CVE-2018-7492)
- Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux
kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read
accesses to files in the /sys/class/sas_phy directory, as demonstrated by the
/sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)
- In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a
missing bounds check. This could lead to local escalation of privilege with System execution privileges
needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-71361580. (CVE-2018-9516)
- In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead
to local escalation of privilege with no additional execution privileges needed. User interaction is not
needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References:
Upstream kernel. (CVE-2018-9568)
- A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function
in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other
consequences. (CVE-2019-10126)
- Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux
kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote
attacker could use this to cause a denial of service. This has been fixed in stable kernel releases
4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit
f070ef2ac66716357066b683fb0baf55f8191a2e. (CVE-2019-11478)
- Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a
remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote
attacker could use this to cause a denial of service. This has been fixed in stable kernel releases
4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits
967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363. (CVE-2019-11479)
- The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to
prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive
information, cause a denial of service, or possibly have unspecified other impact by triggering a race
condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c,
fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)
- An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when
megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c.
This causes a Denial of Service, related to a use-after-free. (CVE-2019-11810)
- fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the
extent tree block, which might allow local users to obtain sensitive information by reading uninitialized
data in the filesystem. (CVE-2019-11833)
- The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a
local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command,
because a name field may not end with a '\0' character. (CVE-2019-11884)
- An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5.
There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL
pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL
(CVE-2019-12381)
- An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in
drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free.
This will cause a denial of service. (CVE-2019-12819)
- i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu
18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly
have unspecified other impact via crafted ioctl calls to /dev/dri/card0. (CVE-2019-12881)
- In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a
malicious USB device can send an HID report that triggers an out-of-bounds write during generation of
debugging messages. (CVE-2019-13631)
- In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled,
a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn()
system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and
arch/powerpc/kernel/signal_64.c. (CVE-2019-13648)
- In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and
head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an
unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by
default. (CVE-2019-14283)
- In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params
division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry
with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should
be called. It can be triggered by an unprivileged local user even when a floppy disk has not been
inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14284)
- An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux
kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer
'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be
supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of service or potentially
escalating privileges on the system. (CVE-2019-14821)
- The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could
use this flaw to obtain sensitive information, cause a denial of service, or possibly have other
unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
(CVE-2019-14898)
- check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to
kernel stack exhaustion. (CVE-2019-15118)
- An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB
device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)
- An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound
subsystem because card disconnection causes certain data structures to be deleted too early. This is
related to sound/core/init.c and sound/core/info.c. (CVE-2019-15214)
- An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)
- An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver. (CVE-2019-15219)
- An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious
USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)
- An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a
malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)
- An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a
malicious USB device in the sound/usb/helper.c (motu_microbookii) driver. (CVE-2019-15222)
- An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
malicious USB device in the sound/usb/line6/driver.c driver. (CVE-2019-15223)
- An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in
net/xfrm/xfrm_user.c mishandles directory validation. (CVE-2019-15666)
- In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS
expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)
- An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in
register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. (CVE-2019-15916)
- An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc()
fails in genl_register_family() in net/netlink/genetlink.c. (CVE-2019-15921)
- An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a pf
data structure if alloc_disk fails in drivers/block/paride/pf.c. (CVE-2019-15922)
- An issue was discovered in the Linux kernel before 5.0.9. There is a NULL pointer dereference for a cd
data structure if alloc_disk fails in drivers/block/paride/pf.c. (CVE-2019-15923)
- drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue
return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that
the work queue allocation is happening during device initialization, which for a graphics card occurs
during boot. It is not attacker controllable and OOM at that time is highly unlikely (CVE-2019-16230)
- drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the
alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16234)
- An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write()
properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
(CVE-2019-16413)
- In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain
sensitive information from kernel stack memory because tos and flags fields are not initialized.
(CVE-2019-16714)
- In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when
register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka
CID-07f12b26e21a. (CVE-2019-16994)
- The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking
vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on
a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value
remains the same starting from boot time, and can be inferred by an attacker. This affects
net/core/flow_dissector.c and related code. (CVE-2019-18282)
- The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is
not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to
arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)
- The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in
drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local
users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can
possibly result in a privilege escalation. (CVE-2019-18675)
- An issue was discovered in the Linux kernel 4.4.x before 4.4.195. There is a NULL pointer dereference in
rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service, aka CID-91573ae4aed0.
(CVE-2019-18680)
- A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the
Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by
triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. (CVE-2019-18806)
- fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer
dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka
CID-09ba3bc9dd15. (CVE-2019-18885)
- A memory leak in the mlx5_fw_fatal_reporter_dump() function in
drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before 5.3.11 allows attackers to
cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka
CID-c7ed6d0183d5. (CVE-2019-19047)
- A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux
kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
kfifo_alloc() failures, aka CID-a7b2df76b42b. (CVE-2019-19054)
- A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux
kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because
it occurs on a code path where a successful allocation has already occurred (CVE-2019-19055)
- A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in
drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a
denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-
db8fd2cde932. (CVE-2019-19056)
- A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux
kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)
- Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in
drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow
attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or
dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)
- A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through
5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)
- Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the
Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka
CID-3f9361695113. (CVE-2019-19063)
- A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel
through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)
- A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the
Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by
triggering copy to udata failures, aka CID-4a9d46a9fe14. (CVE-2019-19077)
- A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,
the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error
occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by
the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction
mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism
to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that
host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
(CVE-2019-19338)
- In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and
unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c. (CVE-2019-19377)
- In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a
malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-
axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,
drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-
tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)
- In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device
in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464. (CVE-2019-19533)
- In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB
device in the USB character device driver layer, aka CID-303911cfc5b9. This affects
drivers/usb/core/file.c. (CVE-2019-19537)
- In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in
fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created
with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers
dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs
within blktrace (CVE-2019-19770)
- kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with
Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by
generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words,
although this slice expiration would typically be seen with benign workloads, it is possible that an
attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a
low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray
requests. An attack does not affect the stability of the kernel; it only causes mismanagement of
application execution.) (CVE-2019-19922)
- In the Linux kernel through 5.4.6, there is a NULL pointer dereference in
drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related
to a PHY down race condition, aka CID-f70267f379b5. (CVE-2019-19965)
- In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in
drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.
(CVE-2019-19966)
- mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has
some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will
cause a memory leak and denial of service. (CVE-2019-20095)
- In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to
seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege with no
additional execution privileges needed. User interaction is not needed for exploitation. Product: Android
Versions: Android kernel Android ID: A-119769499 (CVE-2019-2054)
- An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and
netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
(CVE-2019-20811)
- An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in
net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain
failure case involving TPACKET_V3, aka CID-b43d1f9f7067. (CVE-2019-20812)
- An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a
use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka
CID-16d51a590a8c. (CVE-2019-20934)
- A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before
5.1-rc1. (CVE-2019-3459)
- It was found that the net_dma code in tcp_recvmsg() in the 2.6.32 kernel as shipped in RHEL6 is thread-
unsafe. So an unprivileged multi-threaded userspace application calling recvmsg() for the same network
socket in parallel executed on ioatdma-enabled hardware with net_dma enabled can leak the memory, crash
the host leading to a denial-of-service or cause a random memory corruption. (CVE-2019-3837)
- A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the
mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)
- A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged
local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service
(DoS). (CVE-2019-3896)
- An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An
attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations
before the required authentication process has completed. This could lead to different denial-of-service
scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already
existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge
Authentication and Association Request packets to trigger this vulnerability. (CVE-2019-5108)
- In the Android kernel in unifi and r8180 WiFi drivers there is a possible out of bounds write due to a
missing bounds check. This could lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation. (CVE-2019-9270)
- In the Android kernel in the video driver there is a use after free due to a race condition. This could
lead to local escalation of privilege with no additional execution privileges needed. User interaction is
not needed for exploitation. (CVE-2019-9458)
- In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to
local escalation of privilege with System execution privileges needed. User interaction is not needed for
exploitation.Product: AndroidVersions: Android-10Android ID: A-153467744 (CVE-2020-0305)
- In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This
could lead to local escalation of privilege with no additional execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-144161459
(CVE-2020-0431)
- In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in
audit_data_to_entry. This could lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android
kernelAndroid ID: A-150693166References: Upstream kernel (CVE-2020-0444)
- Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2
and earlier may allow an unauthenticated user to complete authentication without pairing credentials via
adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or
slave to pair with a previously paired remote device to successfully complete the authentication procedure
without knowing the link key. (CVE-2020-10135)
- A flaw was found in the Linux kernel's implementation of GRO in versions before 5.2. This flaw allows an
attacker with local access to crash the system. (CVE-2020-10720)
- A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an
attacker with a local account to crash a trivial program and exfiltrate private kernel data.
(CVE-2020-10732)
- A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it
incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly
only validate the first netlink message in the skb and allow or deny the rest of the messages within the
skb with the granted permission without further processing. (CVE-2020-10751)
- A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in
crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4
bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,
leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of
service. (CVE-2020-10769)
- A stack information leak flaw was found in s390/s390x in the Linux kernel's memory manager functionality,
where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the
kernel data. (CVE-2020-10773)
- A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local
account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in
the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the
creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large
amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random
userspace processes, possibly making the system inoperable. (CVE-2020-10781)
- An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka
CID-998912346c0d. (CVE-2020-11608)
- An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1.
drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle
invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93. (CVE-2020-11609)
- A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before
4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a
denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)
- usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because
a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)
- The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows
local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a
double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this
bug is not as bad as it could have been because these operations are all privileged and root already has
enormous destructive power. (CVE-2020-12652)
- An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.
Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka
CID-d0c7feaf8767. (CVE-2020-12655)
- gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux
kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak. Note: This was
disputed with the assertion that the issue does not grant any access not already available. It is a
problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a
privileged operation. A user could also write a kernel module to consume any amount of memory they like
and load that replicating the effect of this bug (CVE-2020-12656)
- An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a
certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)
- A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a
do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in
a different security domain. Exploitation limitations include the amount of elapsed time before an integer
overflow occurs, and the lack of scenarios where signals to a parent process present a substantial
operational threat. (CVE-2020-12826)
- A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file
system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash
the system if the directory exists. The highest threat from this vulnerability is to system availability.
(CVE-2020-14314)
- A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a
local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds
write to occur. This flaw allows a local user with access to the VGA console to crash the system,
potentially escalating their privileges on the system. The highest threat from this vulnerability is to
data confidentiality and integrity as well as system availability. (CVE-2020-14331)
- A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem
allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate
privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as
system availability. (CVE-2020-14351)
- Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a
duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this
candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
(CVE-2020-14353)
- A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-
bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of
the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)
- In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line
discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and
drivers/net/can/slcan.c. (CVE-2020-14416)
- In the Linux kernel 4.4 through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak,
aka CID-28ebeb8db770. (CVE-2020-15393)
- The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive
information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to
drivers/char/random.c and kernel/time/timer.c. (CVE-2020-16166)
- A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN
and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't
correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would
allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this
vulnerability is to data confidentiality. (CVE-2020-1749)
- The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent
Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a
network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,
CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
(CVE-2020-24586)
- The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent
Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary
can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,
CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)
- The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent
Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an
adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)
- In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could
overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in
ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
(CVE-2020-25211)
- A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers
to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c
instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)
- A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be
used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified
other impact, aka CID-17743798d812. (CVE-2020-25285)
- A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length
biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a
denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block
device, resulting in a denial of service. The highest threat from this vulnerability is to system
availability. (CVE-2020-25641)
- A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw
allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that
relies on UDP source port randomization are indirectly affected as well on the Linux Based Products
(RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,
SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE
W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All
versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7
LTE EU: Version (CVE-2020-25705)
- An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other
clients even though the sender has not yet successfully authenticated to the AP. This might be abused in
projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier
to exploit other vulnerabilities in connected clients. (CVE-2020-26139)
- An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and
WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to
inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)
- An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation
does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can
abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-
confidentiality protocol. (CVE-2020-26141)
- An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and
WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can
abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)
- An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3
implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042
(i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration. (CVE-2020-26144)
- An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3
implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process
them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration. (CVE-2020-26145)
- An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations
reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate
selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the
WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by
design. (CVE-2020-26146)
- An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble
fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject
packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,
CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)
- An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users
can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
(CVE-2020-27673)
- An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x.
drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race
condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash
via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5. (CVE-2020-27675)
- A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked
down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries
platform) a root like local user could use this flaw to further increase their privileges to that of a
running kernel. (CVE-2020-27777)
- A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl()
printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had
been freed by gprinter_free(). (CVE-2020-27784)
- A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the
ability to set extended attributes to panic the system, causing memory corruption or escalating
privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system
availability. (CVE-2020-27815)
- The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a
vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85. (CVE-2020-28097)
- A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be
used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)
- A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to
read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because
KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)
- A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not
be correctly not be logged by the audit subsystem (CVE-2020-35501)
- mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through
5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
(CVE-2020-36158)
- There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in
drivers/tty/vt/vt.c. (CVE-2020-8647)
- There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common
function in drivers/tty/n_tty.c. (CVE-2020-8648)
- There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region
function in drivers/video/console/vgacon.c. (CVE-2020-8649)
- The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 (The Linux kernel did not properly
clear data structures on context switches for certain Intel graphics processors.) was discovered to be
incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacker could use this
vulnerability to expose sensitive information. (CVE-2020-8832)
- An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to
a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,
aka CID-2e90ca68b0d2. (CVE-2020-9383)
- A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged
user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can panic the
system. Kernel before kernel 5.5-rc1 is affected. (CVE-2021-20177)
- A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the
Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a
changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability.
(CVE-2021-20219)
- A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an
attacker with a local account to leak information about kernel internal addresses. The highest threat from
this vulnerability is to confidentiality. (CVE-2021-20239)
- A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver
software. The impact of this issue is lessened by the fact that the default permissions on the floppy
device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes
greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
(CVE-2021-20261)
- A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux
kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an
off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this
vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source
port randomization are indirectly affected as well. (CVE-2021-20322)
- An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-
device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with
special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or
a leak of internal kernel information. The highest threat from this vulnerability is to system
availability. (CVE-2021-31916)
- nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-
free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a
certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)
- A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found
while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to
data confidentiality and integrity as well as system availability. (CVE-2021-3411)
- A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking
subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat
from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
- A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem
with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be
accessible. (CVE-2021-3732)
- A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP
association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and
the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)
- net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in
any net namespace because these changes are leaked into all other net namespaces. This is related to the
NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)
- Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn
by its CNA. Further investigation showed that it was not a security issue. Notes: none. (CVE-2021-3894)
- A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
Internal memory locations could be returned to userspace. A local attacker with the permissions to insert
eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit
mitigations in place for the kernel. (CVE-2021-4159)
- A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is
disabled by default, it could allow an attacker to crash the system or have other memory-corruption side
effects. (CVE-2022-2938)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-17133");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:acpica-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-alt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
include('ksplice.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'kernel', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'kernel'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
redhat | enterprise_linux | acpica-tools | p-cpe:/a:redhat:enterprise_linux:acpica-tools |
redhat | enterprise_linux | kernel | p-cpe:/a:redhat:enterprise_linux:kernel |
redhat | enterprise_linux | kernel-alt | p-cpe:/a:redhat:enterprise_linux:kernel-alt |
redhat | enterprise_linux | kernel-rt | p-cpe:/a:redhat:enterprise_linux:kernel-rt |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10741
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2069
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2184
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2185
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2186
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2543
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2545
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2546
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2547
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2550
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2847
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3138
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3139
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3140
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3156
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3157
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3951
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4482
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4486
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4569
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4578
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4580
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5244
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5829
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7042
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7425
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7915
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9685
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9794
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0627
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0630
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000370
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000371
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11473
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13166
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13167
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13693
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13694
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13695
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14051
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14140
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15102
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15274
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16644
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16646
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18017
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18079
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18360
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18550
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18551
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5549
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7542
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7616
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7889
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8924
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8925
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000004
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10840
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10902
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1092
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10940
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1120
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12928
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14617
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14734
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15572
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16658
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18710
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5333
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5391
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5803
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6927
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7191
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7492
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7757
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9516
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9568
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11810
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11833
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11884
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12381
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12819
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12881
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13631
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14283
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14284
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14898
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15118
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15212
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15214
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15215
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15219
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15220
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15222
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15223
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15666
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15921
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15922
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15923
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16230
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16234
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16413
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16714
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16994
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18282
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18660
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18680
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18806
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19047
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19054
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19055
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19056
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19058
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19059
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19062
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19063
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19066
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19077
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19338
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19377
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19532
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19533
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19537
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19770
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19922
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19965
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19966
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20095
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2054
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20811
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20812
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20934
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3837
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3846
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3896
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5108
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9270
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9458
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0431
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0444
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10135
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10720
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10732
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10751
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10769
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10773
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10781
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11608
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11609
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12114
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12464
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12652
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12770
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12826
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14314
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14331
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14353
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14416
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15393
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16166
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1749
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25211
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25212
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25285
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25641
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26140
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26141
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26143
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26146
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27673
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27777
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27784
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27815
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28097
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28915
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28974
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35501
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36158
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8832
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9383
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20219
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20239
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20261
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20322
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3348
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3411
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3715
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3732
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38209
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3894
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4159
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2938