CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-6923	Email header injection due to unquoted newlines Description: There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57881	mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy() Description: In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy() In split_large_buddy(), we might call pfn_to_page() on a PFN that might not exist. In corner cases, such as when freeing the highest pageblock in the last memory section, this could result with CONFIG_SPARSEMEM && !CONFIG_SPARSEMEM_EXTREME in __pfn_to_section() returning NULL and and __section_mem_map_addr() dereferencing that NULL pointer. Let's fix it, and avoid doing a pfn_to_page() call for the first iteration, where we already have the page. So far this was found by code inspection, but let's just CC stable as the fix is easy. EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57880	ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array Description: In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array The code uses the initialised member of the asoc_sdw_dailink struct to determine if a member of the array is in use. However in the case the array is completely full this will lead to an access 1 past the end of the array, expand the array by one entry to include a space for a terminator. EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57879	Bluetooth: iso: Always release hdev at the end of iso_listen_bis Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Always release hdev at the end of iso_listen_bis Since hci_get_route holds the device before returning, the hdev should be released with hci_dev_put at the end of iso_listen_bis even if the function returns with an error. EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57878	arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR Description: In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained. Before this patch: \| # ./fpmr-test \| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d \| SETREGSET(nt=0x40e, len=8) wrote 8 bytes \| \| Attempting to read NT_ARM_FPMR::fpmr \| GETREGSET(nt=0x40e, len=8) read 8 bytes \| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d \| \| Attempting to write NT_ARM_FPMR (zero length) \| SETREGSET(nt=0x40e, len=0) wrote 0 bytes \| \| Attempting to read NT_ARM_FPMR::fpmr \| GETREGSET(nt=0x40e, len=8) read 8 bytes \| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50 After this patch: \| # ./fpmr-test \| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d \| SETREGSET(nt=0x40e, len=8) wrote 8 bytes \| \| Attempting to read NT_ARM_FPMR::fpmr \| GETREGSET(nt=0x40e, len=8) read 8 bytes \| Read NT_ARM_FPMR:... EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57877	arm64: ptrace: fix partial SETREGSET for NT_ARM_POE Description: In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_POE Currently poe_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.por_el0, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of POR_EL1 will be retained. Before this patch: \| # ./poe-test \| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d \| SETREGSET(nt=0x40f, len=8) wrote 8 bytes \| \| Attempting to read NT_ARM_POE::por_el0 \| GETREGSET(nt=0x40f, len=8) read 8 bytes \| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d \| \| Attempting to write NT_ARM_POE (zero length) \| SETREGSET(nt=0x40f, len=0) wrote 0 bytes \| \| Attempting to read NT_ARM_POE::por_el0 \| GETREGSET(nt=0x40f, len=8) read 8 bytes \| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50 After this patch: \| # ./poe-test \| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d \| SETREGSET(nt=0x40f, len=8) wrote 8 bytes \| \| Attempting to read NT_ARM_POE::por_el0 \| GETREGSET(nt=0x40f, len=8) read 8 bytes \| Read ... EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57876	drm/dp_mst: Fix resetting msg rx state after topology removal Description: In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix resetting msg rx state after topology removal If the MST topology is removed during the reception of an MST down reply or MST up request sideband message, the drm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset from one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with the reading/parsing of the message from another thread via drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is possible since the reader/parser doesn't hold any lock while accessing the reception state. This in turn can lead to a memory corruption in the reader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST sideband message body length check"). Fix the above by resetting the message reception state if needed before reading/parsing a message. Another solution would be to hold the drm_dp_mst_topology_mgr::lock for the whole duration of the message reception/parsing in drm_dp_mst_handle_down_rep() and drm_dp_mst_handle_up_req(), however this would require a bigger change. Since the fix is also needed for stable, opting for the simpler solution in this patch. EPSS Score: 0.05% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57875	block: RCU protect disk->conv_zones_bitmap Description: In the Linux kernel, the following vulnerability has been resolved: block: RCU protect disk->conv_zones_bitmap Ensure that a disk revalidation changing the conventional zones bitmap of a disk does not cause invalid memory references when using the disk_zone_is_conv() helper by RCU protecting the disk->conv_zones_bitmap pointer. disk_zone_is_conv() is modified to operate under the RCU read lock and the function disk_set_conv_zones_bitmap() is added to update a disk conv_zones_bitmap pointer using rcu_replace_pointer() with the disk zone_wplugs_lock spinlock held. disk_free_zone_resources() is modified to call disk_update_zone_resources() with a NULL bitmap pointer to free the disk conv_zones_bitmap. disk_set_conv_zones_bitmap() is also used in disk_update_zone_resources() to set the new (revalidated) bitmap and free the old one. EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57874	arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Description: In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently tagged_addr_ctrl_set() will consume an arbitrary value, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and rejects other values, a partial SETREGSET attempt will randomly succeed or fail depending on the value of the uninitialized value, and the exposure is significantly limited. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing value of the tagged address ctrl will be retained. The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the user_aarch64_view used by a native AArch64 task to manipulate another native AArch64 task. As get_tagged_addr_ctrl() only returns an error value when called for a compat task, tagged_addr_ctrl_get() and tagged_addr_ctrl_set() should never observe an error value from get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that such an error would be unexpected, and error handlnig is not ... EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)
CVE-2024-57872	scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() Description: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() This will ensure that the scsi host is cleaned up properly using scsi_host_dev_release(). Otherwise, it may lead to memory leaks. EPSS Score: 0.04% Source: CVE January 12th, 2025 (6 months ago)