posix-cpu-timers: Cleanup CPU timers before freeing them

ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

UBUNTU: SAUCE: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

fanotify: Fix stale file descriptor in copy_event_to_user()

openvswitch: fix OOB access in reserve_sfa_size()

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path

SUNRPC: Ensure we flush any closed sockets before

SUNRPC: Don't leak sockets in xs_local_connect()

SUNRPC: Ensure we flush any closed sockets before (adaptation)

net/sched: cls_u32: fix netns refcount changes in

netfilter: nf_queue: do not allow packet truncation below transport header offset

Bluetooth: fix repeated calls to sco_sock_kill

Bluetooth: avoid circular locks in sco_sock_connect

Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

ALSA: pcm: Fix races among concurrent read/write and buffer changes

ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls

ALSA: pcm: Fix races among concurrent prealloc proc writes

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls (adaptation)

af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register

ipv4: avoid using shared IP generator for connected sockets

ipv4: tcp: send zero IPID in SYNACK messages

cifs: prevent bad output lengths in smb2_ioctl_query_info()

cifs: fix NULL ptr dereference in smb2_ioctl_query_info()

udf: Restore i_lenAlloc when inode expansion fails

udf: Fix NULL ptr deref when converting from inline format

Reinstate some of "swiotlb: rework "fix info leak with

netfilter: nf_tables: initialize registers in nft_do_chain()

ext4: verify dir block before splitting it

ext4: make variable "count" signed

KVM: x86: avoid calling x86 emulator without a decoded

x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data

lockdown: also lock down previous kgdb use

netfilter: nf_tables: disallow binding to already bound chain

NFSv4: Handle case where the lookup of a directory fails

netfilter: nf_tables: do not allow SET_ID to refer to another

netfilter: nf_tables: do not allow CHAIN_ID to refer to

netfilter: nf_tables: do not allow RULE_ID to refer to

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master (adaptation)

net: usb: ax88179_178a: Fix out-of-bounds accesses in RX

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

pipe: Fix missing lock in pipe_resize_ring()

drm/i915: fix TLB invalidation for Gen12 video and compute

i2c: ismt: prevent memory corruption in ismt_access()

proc: proc_skip_spaces() shouldn't think it is working on C strings

proc: avoid integer type confusion in get_proc_long

netfilter: nft_payload: incorrect arithmetics when fetching

NFSD: fix use-after-free in __nfs42_ssc_open()

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu

i2c: ismt: Fix an out-of-bounds bug in ismt_access()

ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

act_mirred: use the backlog for nested calls to mirred ingress

tun: avoid double free in tun_free_netdev

tun: avoid double free in tun_free_netdev

ovl: fail on invalid uid/gid mapping at copy up

KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()

watchqueue: make sure to serialize 'wqueue->defunct' properly

devlink: Fix use-after-free after a failed reload

xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

wifi: cfg80211: fix BSS refcounting bugs

net/ulp: prevent ULP without clone op from entering the LISTEN status

af_key: Do not call xfrm_probe_algs in parallel

mm/hugetlb: fix race condition of uffd missing/minor handling

igmp: Add ip_mc_list lock in ip_check_mc_rcu

KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled.

usb: mon: make mmapped memory read only

wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()

tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()

tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()

tcp/udp: Fix memory leak in ipv6_renew_options().

drm/i915/gvt: fix double free bug in split_2MB_gtt_entry

mptcp: fix subflow traversal at disconnect time

l2tp: Serialize access to sk_user_data with sk_callback_lock

l2tp: Don't sleep and disable BH under writer-side sk_callback_lock

can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path

wifi: cfg80211: avoid nontransmitted BSS list corruption

ext4: fix kernel BUG in 'ext4_write_inline_data_end()'

bluetooth: Perform careful capability checks in hci_sock_ioctl()

xfs: verify buffer contents when we skip log replay

i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

perf: Fix check before add_event_to_groups() in perf_group_detach()

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

netfilter: nf_tables: deactivate anonymous set from preparation phase

KVM: x86/mmu: Fix race condition in direct_page_fault

prlimit: do_prlimit needs to have a speculation check

ipvlan:Fix out-of-bounds caused by unclear skb->cb

net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

out of scope, ARM EFI related

x86/speculation: Restore speculation related MSRs during S3 resume

hw: amd: Cross-Process Information Leak

netfilter: nft_set_pipapo: fix improper element removal

netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

netfilter: nf_tables: fix chain binding transaction logic

netfilter: nf_tables: fix chain binding transaction logic

net/sched: cls_u32: Fix reference counter leak leading to overflow

NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

memstick: r592: Fix UAF bug in r592_remove due to race condition

relayfs: fix out-of-bounds access in relay_file_read

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_u32: No longer copy tcf_result on update to avoid

libceph: harden msgr2.1 frame segment length checks

HID: check empty report_list in hid_validate_values()

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

KVM: nVMX: add missing consistency checks for CR0 and CR4

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

Fixes require microcode updates

ovl: fix use after free in struct ovl_aio_req

ovl: fix use after free in struct ovl_aio_req

sctp: fail if no bound addresses can be used for a given scope

net: add sock_init_data_uid()

tap: tap_open(): correctly initialize socket uid

tun: tun_chr_open(): correctly initialize socket uid

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

fbcon: Check font dimension limits

fbcon: HID: intel_ish-hid: Add check for ishtp_dma_tx_map

xfrm: add NULL check in xfrm_update_ae_params

Smart Patch for fs/exfat/dir.c

r8152: Rate limit overflow messages

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

mm/memory.c: fix race when faulting a device private page

nouveau: Fix migrate_to_ram() for faulting page

mm/memory: return vm_fault_t result from migrate_to_ram() callback

net/tls: tls_is_tx_ready() checked list_entry

net: mpls: fix stale pointer if allocation fails during device rename

gfs2: Don't deref jdesc in evict

net: tap_open(): set sk_uid from current_fsuid()

net: tun_chr_open(): set sk_uid from current_fsuid()

KVM: SEV: only access GHCB fields once

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

In RHEL9 (and derivatives) isdn/mISDN driver is absent, not compiled.

coredump/elf: Pass coredump_params into fill_note_info

coredump: fix memleak in dump_vma_snapshot()

coredump: Snapshot the vmas in do_coredump

coredump: Remove the WARN_ON in dump_vma_snapshot

coredump: Use the vma snapshot in fill_files_note

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

cifs: Fix UAF in cifs_demultiplex_thread()

x86/sev: Disable MMIO emulation from user mode

nfp: fix use-after-free in area_cache_get()

netfilter: nf_tables: skip bound chain on rule flush

net: tun: fix bugs for oversize packet when napi frags enabled

kernel-5.14.0-284.11.1.el9_2 and earlier are not vulnerable because they don't have the commit 4bedf9eee016 (netfilter: nf_tables: fix chain binding transaction logic) that introduced the vulnerability

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

net/sched: sch_hfsc: Ensure inner classes have fsc curve

Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

drivers: net: slip: fix NPD bug in sl_tx_timeout()

x86/sev: Disable MMIO emulation from user mode

x86/sev: Check IOBM for IOIO exceptions from user-space

x86/sev: Check for user-space IOIO pointing to kernel space

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

drm/vmwgfx: Fix shader stage validation

can: af_can: fix NULL pointer dereference in can_rcv_filter

Affected device driver does not exist in supported kernels.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

drm/amdgpu: Fix potential fence use-after-free v2

perf: Disallow mis-matched inherited group reads

perf: Disallow mis-matched inherited group reads (adaptation)

smb: client: fix OOB in smbCalcSize()

smb: client: fix potential OOB in smb2_dump_detail()

netfilter: nft_set_pipapo: skip inactive elements during set walk

Vulnerable commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) was introduced later than kernel-5.14.0-362.18.1.el9_3. None of our kernels are vulnerable.

net: tls, update curr on splice as well

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

nvmet-tcp: fix a crash in nvmet_req_complete()

nvmet-tcp: remove boilerplate code

nvmet-tcp: Fix the H2C expected PDU len calculation

Bluetooth: L2CAP: Fix u8 overflow

atm: Fix Use-After-Free in do_vcc_ioctl

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep

netfilter: nf_tables: Reject tables of

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

RDMA/irdma: Prevent zero-length STAG registration

RDMA/irdma: Prevent zero-length STAG registration

smb: client: fix OOB in receive_encrypted_standard()

smb: client: fix potential OOBs in smb2_parse_contexts()

smb: client: fix parsing of SMB3.1.1 POSIX create context

netfilter: nf_tables: check if catch-all set element is active in next generation

Bluetooth: af_bluetooth: Fix Use-After-Free in

io_uring/af_unix: disable sending io_uring over sockets

vc_screen: move load of struct vc_data pointer in

vc_screen: don't clobber return value in vcs_read

drm/qxl: fix UAF on handle creation

i2c: i801: Fix block process call transactions

ida: Fix crash in ida_free when the bitmap is empty

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super {CVE-2024-0841}

Bluetooth: Fix double free in hci_conn_cleanup

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

Bluetooth: Add more enc key size check

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

kobject: Fix slab-out-of-bounds in fill_kobj_path()

kobject: modify kobject_get_path() to take a const *

Reapply "memcg: enable accounting for file lock

netfilter: nf_tables: bail out on mismatching

HID: sony: Fix a potential memory leak in sony_probe()

net/sched: act_ct: fix skb leak and crash on ooo frags

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

Complex adaptation required to add timer_shutdown_sync() in timers subsystem.

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

The given kernel version isn't vulnerable.

neigh: make sure used and confirmed times are valid

net: fix possible store tearing in neigh_periodic_work()

net/core: Fix ETH_P_1588 flow dissector

netfilter: nf_tables: disallow timeout for anonymous sets

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

net: tls: fix use-after-free with partial reads

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

Bluetooth: hci_event: Ignore NULL link key

Bluetooth: Reject connection with the device

Bluetooth: hci_event: Fix using memcmp when

Bluetooth: hci_event: Fix coding style

Bluetooth: avoid memcmp() out of bounds warning

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY

The given kernel version isn't vulnerable (Netfilter).

io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

net: add atomic_long_t to net_device_stats fields

net: bridge: use DEV_STATS_INC()

net: bridge: use DEV_STATS_INC()

USB: core: Unite old scheme and new scheme

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

net: xfrm: Fix xfrm_address_filter OOB read

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

nvmet: nul-terminate the NQNs passed in the

CVE has been marked as REJECTED on the NVD website.

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

crypto: akcipher - Disable signing and decryption

x86/sev: Harden #VC instruction emulation somewhat

netfilter: nf_tables: disallow anonymous set with timeout flag

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

netfilter: nft_ct: fix l3num expectations with inet pseudo family

net: ip_tunnel: prevent perpetual headroom growth

ipv6: sr: fix possible use-after-free and null-ptr-deref

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

octeontx2: CVE patch is outside the scope.

eBPF: low score UAF with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default but needs complex adaptation.

VFIO: Add the SPR_DSA and SPR_IAX devices to the

wifi: rtl8xxxu: add cancel_work_sync() for

wifi: iwlwifi: dbg-tlv: ensure NUL termination

net: annotate data-races around

net: fix __dst_negative_advice() race

bonding: Fix out-of-bounds read in

wifi: cfg80211: check A-MSDU format more

net: netlink: af_netlink: Prevent empty skb by

wifi: ath10k: fix NULL pointer dereference in

platform/x86: wmi: remove unnecessary initializations

platform/x86: wmi: Fix opening of char device

phy: ti: phy-omap-usb2: Fix NULL pointer

netfilter: nft_chain_filter: handle

netfilter: nf_tables: do not compare internal

ipv6: fix potential "struct net" leak in

wifi: iwlwifi: read txq->read_ptr under lock

tls: fix missing memory barrier in tls_init

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

wifi: nl80211: don't free NULL coalescing rule

net: core: reject skb_copy(_expand) for fraglist GSO skbs

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

netfilter: nf_tables: honor table dormant flag from netdev release event path

tap: add missing verification for short frame

tun: add missing verification for short frame

netfilter: nft_limit: reject configurations that cause integer overflow

net: bridge: xmit: make sure we have at least eth

tty: n_gsm: require CAP_NET_ADMIN to attach

CVE marked as rejected by vendor

netfilter: flowtable: Fix QinQ and pppoe support for inet table

netfilter: flowtable: validate pppoe header

netfilter: nf_tables: Fix potential data-race in

netfilter: validate user input for expected length

netfilter: complete validation of user input

nf_tables: disable toggling dormant table state more than once

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

Not vulnerable: buggy commit 3b8cc6298 (blk-cgroup: Optimize blkcg_rstat_flush) was introduced in v6.2 upstream and appeared in RHEL9's 284.11.1

Not vulnerable: mapping mechanism that the bug applies to was introduced in v6.6 upstream (3178308ad4c) and appeared in RHEL9's since -427

netfilter: nf_tables: use timestamp to check for

netfilter: nf_tables: use timestamp to check for

nvme: fix reconnection fail due to reserved tag

Not vulnerable: function with the buggy code `dmirror_device_evict_chunk()` exists since 362.8.1

Not vulnerable: buggy function was introduced in v6.5 upsteam (or RHEL9's 427.13.1), and no similar code patterns existed before for this module

Not vulnerable: vulnerable calls to `wakeup_kswapd()` did not exist prior to 284.11.1

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a

octeontx2-af: avoid off-by-one read from

net: ena: Fix incorrect descriptor free behavior

vt: fix memory overlapping when deleting chars in

tcp: Use refcount_inc_not_zero() in

can: j1939: prevent deadlock by changing

can: j1939: prevent deadlock by changing

r8169: Fix possible ring buffer corruption on

net: hns3: fix use-after-free bug in

netfilter: tproxy: bail out if IP has been