Total
6576 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47892 | 2024-12-16 | N/A | 7.8 HIGH | ||
|
Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.
|
|||||
| CVE-2024-46971 | 2024-12-16 | N/A | 7.8 HIGH | ||
|
Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.
|
|||||
| CVE-2023-21165 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In DevmemIntUnmapPMR of devicemem_server.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-49874 | 1 Linux | 1 Linux Kernel | 2024-12-14 | N/A | 7.0 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
In the svc_i3c_master_probe function, &master->hj_work is bound with
svc_i3c_master_hj_work, &master->ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.
If we remove the module which will call svc_i3c_master_remove to
make cleanup, ...
Show More |
|||||
| CVE-2023-40107 | 1 Google | 1 Android | 2024-12-13 | N/A | 7.8 HIGH |
|
In ARTPWriter of ARTPWriter.cpp, there is a possible use after free due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-40114 | 1 Google | 1 Android | 2024-12-13 | N/A | 7.8 HIGH |
|
In multiple functions of MtpFfsHandle.cpp , there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2023-40115 | 1 Google | 1 Android | 2024-12-13 | N/A | 7.8 HIGH |
|
In readLogs of StatsService.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-12382 | 1 Google | 1 Chrome | 2024-12-13 | N/A | 8.8 HIGH |
|
Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
|
|||||
| CVE-2023-52600 | 1 Linux | 1 Linux Kernel | 2024-12-12 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix uaf in jfs_evict_inode
When the execution of diMount(ipimap) fails, the object ipimap that has been
released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs
when rcu_core() calls jfs_free_node().
Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as
ipimap.
|
|||||
| CVE-2023-52491 | 1 Linux | 1 Linux Kernel | 2024-12-12 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
mtk_jpeg_job_timeout_work.
In mtk_jpeg_dec_device_run, if error happens in
mtk_jpeg_set_dec_dst, it will finally start the worker while
mark the job as finished by invoking v4l2_m2m_job_finish.
There are two methods to trigger the bug. If we remove the
module, it which will ca ...
Show More |
|||||
| CVE-2024-26616 | 1 Linux | 1 Linux Kernel | 2024-12-12 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned
[BUG]
There is a bug report that, on a ext4-converted btrfs, scrub leads to
various problems, including:
- "unable to find chunk map" errors
BTRFS info (device vdb): scrub: started on devid 1
BTRFS critical (device vdb): unable to find chunk map for logical 2214744064 length 4096
BTRFS critical (device vdb): unable to find chunk map for logical 2214 ...
Show More |
|||||
| CVE-2024-33053 | 1 Qualcomm | 112 C-v2x 9150, C-v2x 9150 Firmware, Fastconnect 6200 and 109 more | 2024-12-12 | N/A | 6.7 MEDIUM |
|
Memory corruption when multiple threads try to unregister the CVP buffer at the same time.
|
|||||
| CVE-2024-33040 | 1 Qualcomm | 60 Fastconnect 6800, Fastconnect 6800 Firmware, Fastconnect 6900 and 57 more | 2024-12-12 | N/A | 6.7 MEDIUM |
|
Memory corruption while invoking redundant release command to release one buffer from user space as race condition can occur in kernel space between buffer release and buffer access.
|
|||||
| CVE-2024-26619 | 1 Linux | 1 Linux Kernel | 2024-12-12 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
riscv: Fix module loading free order
Reverse order of kfree calls to resolve use-after-free error.
|
|||||
| CVE-2024-53139 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix possible UAF in sctp_v6_available()
A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints
that sctp_v6_available() is calling dev_get_by_index_rcu()
and ipv6_chk_addr() without holding rcu.
[1]
=============================
WARNING: suspicious RCU usage
6.12.0-rc5-virtme #1216 Tainted: G W
-----------------------------
net/core/dev.c:876 RCU-list traversed in non-reader section!!
other info that might ...
Show More |
|||||
| CVE-2023-52515 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srp: Do not call scsi_done() from srp_abort()
After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler
callback, it performs one of the following actions:
* Call scsi_queue_insert().
* Call scsi_finish_command().
* Call scsi_eh_scmd_add().
Hence, SCSI abort handlers must not call scsi_done(). Otherwise all
the above actions would trigger a use-after-free. Hence remove the
scsi_done() call from srp_abort(). K ...
Show More |
|||||
| CVE-2020-36788 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: avoid a use-after-free when BO init fails
nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code
back to the caller. On failures, ttm_bo_init() invokes the provided
destructor which should de-initialize and free the memory.
Thus, when nouveau_bo_init() returns an error the gem object has already
been released and the memory freed by nouveau_bo_del_ttm().
|
|||||
| CVE-2023-25747 | 1 Mozilla | 1 Firefox | 2024-12-11 | N/A | 7.5 HIGH |
|
A potential use-after-free in libaudio was fixed by disabling the AAudio backend when running on Android API below version 30.
*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 110.1.0.
|
|||||
| CVE-2024-50226 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
cxl/port: Fix use-after-free, permit out-of-order decoder shutdown
In support of investigating an initialization failure report [1],
cxl_test was updated to register mock memory-devices after the mock
root-port/bus device had been registered. That led to cxl_test crashing
with a use-after-free bug with the following signature:
cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 ...
Show More |
|||||
| CVE-2024-50149 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Don't free job in TDR
Freeing job in TDR is not safe as TDR can pass the run_job thread
resulting in UAF. It is only safe for free job to naturally be called by
the scheduler. Rather free job in TDR, add to pending list.
(cherry picked from commit ea2f6a77d0c40d97f4a4dc93fee4afe15d94926d)
|
|||||
| CVE-2024-50114 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Unregister redistributor for failed vCPU creation
Alex reports that syzkaller has managed to trigger a use-after-free when
tearing down a VM:
BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769
Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758
CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64
Hardware name: linux,dummy-virt (DT)
Cal ...
Show More |
|||||
| CVE-2024-50106 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.0 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix race between laundromat and free_stateid
There is a race between laundromat handling of revoked delegations
and a client sending free_stateid operation. Laundromat thread
finds that delegation has expired and needs to be revoked so it
marks the delegation stid revoked and it puts it on a reaper list
but then it unlock the state lock and the actual delegation revocation
happens without the lock. Once the stid is marke ...
Show More |
|||||
| CVE-2024-50084 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()
Commit a3c1e45156ad ("net: microchip: vcap: Fix use-after-free error in
kunit test") fixed the use-after-free error, but introduced below
memory leaks by removing necessary vcap_free_rule(), add it to fix it.
unreferenced object 0xffffff80ca58b700 (size 192):
comm "kunit_try_catch", pid 1215, jiffies 4294898264
hex dump (first 32 bytes):
00 ...
Show More |
|||||
| CVE-2023-52510 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ieee802154: ca8210: Fix a potential UAF in ca8210_probe
If of_clk_add_provider() fails in ca8210_register_ext_clock(),
it calls clk_unregister() to release priv->clk and returns an
error. However, the caller ca8210_probe() then calls ca8210_remove(),
where priv->clk is freed again in ca8210_unregister_ext_clock(). In
this case, a use-after-free may happen in the second time we call
clk_unregister().
Fix this by removing the f ...
Show More |
|||||
| CVE-2023-52509 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ravb: Fix use-after-free issue in ravb_tx_timeout_work()
The ravb_stop() should call cancel_work_sync(). Otherwise,
ravb_tx_timeout_work() is possible to use the freed priv after
ravb_remove() was called like below:
CPU0 CPU1
ravb_tx_timeout()
ravb_remove()
unregister_netdev()
free_netdev(ndev)
// free priv
ravb_tx_timeout_work()
// use priv
unregister_netdev() will call .ndo_stop() so that ravb_stop() is
called. ...
Show More |
|||||
| CVE-2021-46958 | 1 Linux | 1 Linux Kernel | 2024-12-11 | N/A | 4.7 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race between transaction aborts and fsyncs leading to use-after-free
There is a race between a task aborting a transaction during a commit,
a task doing an fsync and the transaction kthread, which leads to an
use-after-free of the log root tree. When this happens, it results in a
stack trace like the following:
BTRFS info (device dm-0): forced readonly
BTRFS warning (device dm-0): Skipping commit of aborted tra ...
Show More |
|||||
| CVE-2024-10074 | 1 Openatom | 1 Openharmony | 2024-12-11 | N/A | 8.8 HIGH |
|
in OpenHarmony v4.1.1 and prior versions allow a local attacker cause the common permission is upgraded to root through use after free.
|
|||||
| CVE-2023-52503 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.0 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
tee: amdtee: fix use-after-free vulnerability in amdtee_close_session
There is a potential race condition in amdtee_close_session that may
cause use-after-free in amdtee_open_session. For instance, if a session
has refcount == 1, and one thread tries to free this session via:
kref_put(&sess->refcount, destroy_session);
the reference count will get decremented, and the next step would be to
call destroy_session(). However ...
Show More |
|||||
| CVE-2021-46959 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
spi: Fix use-after-free with devm_spi_alloc_*
We can't rely on the contents of the devres list during
spi_unregister_controller(), as the list is already torn down at the
time we perform devres_find() for devm_spi_release_controller. This
causes devices registered with devm_spi_alloc_{master,slave}() to be
mistakenly identified as legacy, non-devm managed devices and have their
reference counters decremented below 0.
-------- ...
Show More |
|||||
| CVE-2021-47058 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
regmap: set debugfs_name to NULL after it is freed
There is a upstream commit cffa4b2122f5("regmap:debugfs:
Fix a memory leak when calling regmap_attach_dev") that
adds a if condition when create name for debugfs_name.
With below function invoking logical, debugfs_name is
freed in regmap_debugfs_exit(), but it is not created again
because of the if condition introduced by above commit.
regmap_reinit_cache()
regmap_debugfs_exi ...
Show More |
|||||
| CVE-2021-47061 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU
If allocating a new instance of an I/O bus fails when unregistering a
device, wait to destroy the device until after all readers are guaranteed
to see the new null bus. Destroying devices before the bus is nullified
could lead to use-after-free since readers expect the devices on their
reference of the bus to remain valid.
|
|||||
| CVE-2021-47063 | 1 Linux | 1 Linux Kernel | 2024-12-10 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge/panel: Cleanup connector on bridge detach
If we don't call drm_connector_cleanup() manually in
panel_bridge_detach(), the connector will be cleaned up with the other
DRM objects in the call to drm_mode_config_cleanup(). However, since our
drm_connector is devm-allocated, by the time drm_mode_config_cleanup()
will be called, our connector will be long gone. Therefore, the
connector must be cleaned up when the bridge ...
Show More |
|||||
| CVE-2024-52568 | 1 Siemens | 1 Tecnomatix Plant Simulation | 2024-12-10 | N/A | 7.8 HIGH |
|
A vulnerability has been identified in Teamcenter Visualization V14.2 (All versions < V14.2.0.14), Teamcenter Visualization V14.3 (All versions < V14.3.0.12), Teamcenter Visualization V2312 (All versions < V2312.0008), Teamcenter Visualization V2406 (All versions < V2406.0005), Tecnomatix Plant Simulation V2302 (All versions < V2302.0018), Tecnomatix Plant Simulation V2404 (All versions < V2404.0007). The affected applications contain a use-after-free vulnerability that could be triggered while ...
Show More |
|||||
| CVE-2021-47049 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Use after free in __vmbus_open()
The "open_info" variable is added to the &vmbus_connection.chn_msg_list,
but the error handling frees "open_info" without removing it from the
list. This will result in a use after free. First remove it from the
list, and then free it.
|
|||||
| CVE-2021-47048 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op
When handling op->addr, it is using the buffer "tmpbuf" which has been
freed. This will trigger a use-after-free KASAN warning. Let's use
temporary variables to store op->addr.val and op->cmd.opcode to fix
this issue.
|
|||||
| CVE-2023-52475 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
Input: powermate - fix use-after-free in powermate_config_complete
syzbot has found a use-after-free bug [1] in the powermate driver. This
happens when the device is disconnected, which leads to a memory free from
the powermate_device struct. When an asynchronous control message
completes after the kfree and its callback is invoked, the lock does not
exist anymore and hence the bug.
Use usb_kill_urb() on pm->config to cancel ...
Show More |
|||||
| CVE-2021-47081 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
habanalabs/gaudi: Fix a potential use after free in gaudi_memset_device_memory
Our code analyzer reported a uaf.
In gaudi_memset_device_memory, cb is get via hl_cb_kernel_create()
with 2 refcount.
If hl_cs_allocate_job() failed, the execution runs into release_cb
branch. One ref of cb is dropped by hl_cb_put(cb) and could be freed
if other thread also drops one ref. Then cb is used by cb->id later,
which is a potential uaf.
...
Show More |
|||||
| CVE-2021-47012 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix a use after free in siw_alloc_mr
Our code analyzer reported a UAF.
In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
freed object. After, the execution continue up to the err_out branch of
siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop ...
Show More |
|||||
| CVE-2021-47017 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ath10k: Fix a use after free in ath10k_htc_send_bundle
In ath10k_htc_send_bundle, the bundle_skb could be freed by
dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later
by bundle_skb->len.
As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to
skb_len after the bundle_skb was freed.
|
|||||
| CVE-2021-47013 | 1 Linux | 1 Linux Kernel | 2024-12-09 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
If some error happens in emac_tx_fill_tpd(), the skb will be freed via
dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).
As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
thus my patch ass ...
Show More |
|||||