HCE2-SA-2023-0237 Important HCE 2.0 Security Fix(es): In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2023-21255) Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace (CVE-2023-31248) A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable). (CVE-2023-3389) A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. (CVE-2023-3390) ** REJECT ** DO NOT USE THIS CVE RECORD.  ConsultIDs: CVE-2023-3390.  Reason: This record is a duplicate of CVE-2023-3390.  Notes: All CVE users should reference CVE-2023-3390 instead of this record.  All references and descriptions in this record have been removed to prevent accidental usage. (CVE-2023-3117) Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001) An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation. (CVE-2023-35788) A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829) A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. (CVE-2023-3609) ** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access. (CVE-2023-34256) A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. (CVE-2023-3212) bpf: incorrect verifier pruning due to missing register precision taints, which may lead to out-of-band read/write access due to an incorrect verifier conclusion. (CVE-2023-2163) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824) An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. (CVE-2023-3268) An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process. (CVE-2023-31084) An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. (CVE-2023-33288) No description is available for this CVE. (CVE-2023-3327) An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611) A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. (CVE-2023-2985) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. (CVE-2022-45886) A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. (CVE-2023-2156) A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. (CVE-2023-3776) HCE 2.0 bpftool-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-abi-stablelists-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-tools-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-tools-libs-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-tools-libs-devel-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm perf-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm python3-perf-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm bpftool-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-abi-stablelists-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-tools-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-tools-libs-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-tools-libs-devel-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm perf-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm python3-perf-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-devel-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-devel-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm kernel-headers-5.10.0-60.18.0.50.r966_40.hce2.aarch64.rpm kernel-headers-5.10.0-60.18.0.50.r966_40.hce2.x86_64.rpm