{"schema_version":"1.7.2","id":"OESA-2024-1963","modified":"2024-08-09T11:08:46Z","published":"2024-08-09T11:08:46Z","upstream":["CVE-2021-47202","CVE-2024-33621","CVE-2024-40902","CVE-2024-40959","CVE-2024-41006","CVE-2024-41014","CVE-2024-41017","CVE-2024-41020","CVE-2024-41044","CVE-2024-41063","CVE-2024-41069","CVE-2024-41072","CVE-2024-41081","CVE-2024-41089","CVE-2024-41095","CVE-2024-41097","CVE-2024-42077","CVE-2024-42086","CVE-2024-42090","CVE-2024-42092","CVE-2024-42094","CVE-2024-42097","CVE-2024-42104","CVE-2024-42106","CVE-2024-42115","CVE-2024-42119","CVE-2024-42145","CVE-2024-42224","CVE-2024-42228"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nthermal: Fix NULL pointer dereferences in of_thermal_ functions\r\n\r\nof_parse_thermal_zones() parses the thermal-zones node and registers a\nthermal_zone device for each subnode. However, if a thermal zone is\nconsuming a thermal sensor and that thermal sensor device hasn\u0026apos;t probed\nyet, an attempt to set trip_point_*_temp for that thermal zone device\ncan cause a NULL pointer dereference. Fix it.\r\n\r\n console:/sys/class/thermal/thermal_zone87 # echo 120000 \u0026gt; trip_point_0_temp\n ...\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n ...\n Call trace:\n  of_thermal_set_trip_temp+0x40/0xc4\n  trip_point_temp_store+0xc0/0x1dc\n  dev_attr_store+0x38/0x88\n  sysfs_kf_write+0x64/0xc0\n  kernfs_fop_write_iter+0x108/0x1d0\n  vfs_write+0x2f4/0x368\n  ksys_write+0x7c/0xec\n  __arm64_sys_write+0x20/0x30\n  el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc\n  do_el0_svc+0x28/0xa0\n  el0_svc+0x14/0x24\n  el0_sync_handler+0x88/0xec\n  el0_sync+0x1c0/0x200\r\n\r\nWhile at it, fix the possible NULL pointer dereference in other\nfunctions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(),\nof_thermal_get_trend().(CVE-2021-47202)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nipvlan: Dont Use skb-\u0026gt;sk in ipvlan_process_v{4,6}_outbound\r\n\r\nRaw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will\nhit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.\r\n\r\nWARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70\nModules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper\nCPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:sk_mc_loop+0x2d/0x70\nCode: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c\nRSP: 0018:ffffa9584015cd78 EFLAGS: 00010212\nRAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001\nRDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000\nRBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00\nR10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000\nR13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000\nFS:  0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u0026lt;IRQ\u0026gt;\n ? __warn (kernel/panic.c:693)\n ? sk_mc_loop (net/core/sock.c:760)\n ? report_bug (lib/bug.c:201 lib/bug.c:219)\n ? handle_bug (arch/x86/kernel/traps.c:239)\n ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n ? sk_mc_loop (net/core/sock.c:760)\n ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))\n ? nf_hook_slow (net/netfilter/core.c:626)\n ip6_finish_output (net/ipv6/ip6_output.c:222)\n ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)\n ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan\n ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan\n dev_hard_start_xmit (net/core/dev.c:3594)\n sch_direct_xmit (net/sched/sch_generic.c:343)\n __qdisc_run (net/sched/sch_generic.c:416)\n net_tx_action (net/core/dev.c:5286)\n handle_softirqs (kernel/softirq.c:555)\n __irq_exit_rcu (kernel/softirq.c:589)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)\r\n\r\nThe warning triggers as this:\npacket_sendmsg\n   packet_snd //skb-\u0026gt;sk is packet sk\n      __dev_queue_xmit\n         __dev_xmit_skb //q-\u0026gt;enqueue is not NULL\n             __qdisc_run\n               sch_direct_xmit\n                 dev_hard_start_xmit\n                   ipvlan_start_xmit\n                      ipvlan_xmit_mode_l3 //l3 mode\n                        ipvlan_process_outbound //vepa flag\n                          ipvlan_process_v6_outbound\n                            ip6_local_out\n                                __ip6_finish_output\n                                  ip6_finish_output2 //multicast packet\n                                    sk_mc_loop //sk-\u0026gt;sk_family is AF_PACKET\r\n\r\nCall ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.(CVE-2024-33621)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: xattr: fix buffer overflow for invalid xattr\r\n\r\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging.  But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\r\n\r\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.(CVE-2024-40902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\r\n\r\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\r\n\r\nsyzbot reported:\r\n\r\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 \u0026lt;80\u0026gt; 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u0026lt;TASK\u0026gt;\n  xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n  xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n  xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n  xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n  xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n  xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n  xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n  xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n  ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n  send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n  wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n  wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n  wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n  wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n  process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n  process_scheduled_works kernel/workqueue.c:3312 [inline]\n  worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n  kthread+0x2c1/0x3a0 kernel/kthread.c:389\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244(CVE-2024-40959)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\r\n\r\nsyzbot reported a memory leak in nr_create() [0].\r\n\r\nCommit 409db27e3a2e (\u0026quot;netrom: Fix use-after-free of a listening socket.\u0026quot;)\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\r\n\r\nBut in the case \u0026quot;a,\u0026quot; when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \u0026quot;b.\u0026quot;\r\n\r\nnr_connect\n  nr_establish_data_link\n    nr_start_heartbeat\r\n\r\nnr_release\n  switch (nr-\u0026gt;state)\n  case NR_STATE_3\n    nr-\u0026gt;state = NR_STATE_2\n    sock_set_flag(sk, SOCK_DESTROY);\r\n\r\n                        nr_rx_frame\n                          nr_process_rx_frame\n                            switch (nr-\u0026gt;state)\n                            case NR_STATE_2\n                              nr_state2_machine()\n                                nr_disconnect()\n                                  nr_sk(sk)-\u0026gt;state = NR_STATE_0\n                                  sock_set_flag(sk, SOCK_DEAD)\r\n\r\n                        nr_heartbeat_expiry\n                          switch (nr-\u0026gt;state)\n                          case NR_STATE_0\n                            if (sock_flag(sk, SOCK_DESTROY) ||\n                               (sk-\u0026gt;sk_state == TCP_LISTEN\n                                 \u0026amp;\u0026amp; sock_flag(sk, SOCK_DEAD)))\n                               sock_hold()  // ( !!! )\n                               nr_destroy_socket()\r\n\r\nTo fix the memory leak, let\u0026apos;s call sock_hold() only for a listening socket.\r\n\r\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\r\n\r\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16(CVE-2024-41006)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nxfs: add bounds checking to xlog_recover_process_data\r\n\r\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\r\n\r\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n    1) Mount an image of xfs, and do some file operations to leave records\n    2) Before umounting, copy the image for subsequent steps to simulate\n       abnormal exit. Because umount will ensure that tail_blk and\n       head_blk are the same, which will result in the inability to enter\n       xlog_recover_process_data\n    3) Write a tool to parse and modify the copied image in step 2\n    4) Make the end of the xlog_op_header entries only 1 byte away from\n       xlog_rec_header-\u0026gt;h_size\n    5) xlog_rec_header-\u0026gt;h_num_logops++\n    6) Modify xlog_rec_header-\u0026gt;h_crc\r\n\r\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header.(CVE-2024-41014)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: don\u0026apos;t walk off the end of ealist\r\n\r\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist.(CVE-2024-41017)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nfilelock: Fix fcntl/close race recovery compat path\r\n\r\nWhen I wrote commit 3cad1bc01041 (\u0026quot;filelock: Remove locks reliably when\nfcntl/close race is detected\u0026quot;), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\r\n\r\nApply exactly the same fix to the compat path for 32-bit kernels.(CVE-2024-41020)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nppp: reject claimed-as-LCP but actually malformed packets\r\n\r\nSince \u0026apos;ppp_async_encode()\u0026apos; assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add \u0026apos;ppp_check_packet()\u0026apos; to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.(CVE-2024-41044)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\r\n\r\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev-\u0026gt;req_workqueue which destroy_workqueue() needs to flush.\r\n\r\nWe need to make sure that hdev-\u0026gt;{rx_work,cmd_work,tx_work} which are\nqueued into hdev-\u0026gt;workqueue and hdev-\u0026gt;{power_on,error_reset} which are\nqueued into hdev-\u0026gt;req_workqueue are no longer running by the moment\r\n\r\n       destroy_workqueue(hdev-\u0026gt;workqueue);\n       destroy_workqueue(hdev-\u0026gt;req_workqueue);\r\n\r\nare called from hci_release_dev().\r\n\r\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev-\u0026gt;list is removed from hci_dev_list.(CVE-2024-41063)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nASoC: topology: Fix references to freed memory\r\n\r\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed.(CVE-2024-41069)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\r\n\r\nIn \u0026apos;cfg80211_wext_siwscan()\u0026apos;, add extra check whether number of\nchannels passed via \u0026apos;ioctl(sock, SIOCSIWSCAN, ...)\u0026apos; doesn\u0026apos;t exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.(CVE-2024-41072)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nila: block BH in ila_output()\r\n\r\nAs explained in commit 1378817486d6 (\u0026quot;tipc: block BH\nbefore using dst_cache\u0026quot;), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\r\n\r\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\r\n\r\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\r\n\r\nFix the race by using local_bh_disable().(CVE-2024-41081)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes\r\n\r\nIn nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). The same applies to drm_cvt_mode().\nAdd a check to avoid null pointer dereference.(CVE-2024-41089)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes\r\n\r\nIn nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is\nassigned to mode, which will lead to a possible NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2024-41095)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: atm: cxacru: fix endpoint checking in cxacru_bind()\r\n\r\nSyzbot is still reporting quite an old issue [1] that occurs due to\nincomplete checking of present usb endpoints. As such, wrong\nendpoints types may be used at urb sumbitting stage which in turn\ntriggers a warning in usb_submit_urb().\r\n\r\nFix the issue by verifying that required endpoint types are present\nfor both in and out endpoints, taking into account cmd endpoint type.\r\n\r\nUnfortunately, this patch has not been tested on real hardware.\r\n\r\n[1] Syzbot report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\n...\nCall Trace:\n cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649\n cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760\n cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209\n usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055\n cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363\n usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:517 [inline]\n really_probe+0x23c/0xcd0 drivers/base/dd.c:595\n __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747\n driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777\n __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894\n bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427\n __device_attach+0x228/0x4a0 drivers/base/dd.c:965\n bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487\n device_add+0xc2f/0x2180 drivers/base/core.c:3354\n usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170\n usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238\n usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293(CVE-2024-41097)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nocfs2: fix DIO failure due to insufficient transaction credits\r\n\r\nThe code in ocfs2_dio_end_io_write() estimates number of necessary\ntransaction credits using ocfs2_calc_extend_credits().  This however does\nnot take into account that the IO could be arbitrarily large and can\ncontain arbitrary number of extents.\r\n\r\nExtent tree manipulations do often extend the current transaction but not\nin all of the cases.  For example if we have only single block extents in\nthe tree, ocfs2_mark_extent_written() will end up calling\nocfs2_replace_extent_rec() all the time and we will never extend the\ncurrent transaction and eventually exhaust all the transaction credits if\nthe IO contains many single block extents.  Once that happens a\nWARN_ON(jbd2_handle_buffer_credits(handle) \u0026lt;= 0) is triggered in\njbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to\nthis error.  This was actually triggered by one of our customers on a\nheavily fragmented OCFS2 filesystem.\r\n\r\nTo fix the issue make sure the transaction always has enough credits for\none extent insert before each call of ocfs2_mark_extent_written().\r\n\r\nHeming Zhao said:\r\n\r\n------\nPANIC: \u0026quot;Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error\u0026quot;\r\n\r\nPID: xxx  TASK: xxxx  CPU: 5  COMMAND: \u0026quot;SubmitThread-CA\u0026quot;\n  #0 machine_kexec at ffffffff8c069932\n  #1 __crash_kexec at ffffffff8c1338fa\n  #2 panic at ffffffff8c1d69b9\n  #3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]\n  #4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]\n  #5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]\n  #6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]\n  #7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]\n  #8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]\n  #9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]\n#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]\n#11 dio_complete at ffffffff8c2b9fa7\n#12 do_blockdev_direct_IO at ffffffff8c2bc09f\n#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]\n#14 generic_file_direct_write at ffffffff8c1dcf14\n#15 __generic_file_write_iter at ffffffff8c1dd07b\n#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]\n#17 aio_write at ffffffff8c2cc72e\n#18 kmem_cache_alloc at ffffffff8c248dde\n#19 do_io_submit at ffffffff8c2ccada\n#20 do_syscall_64 at ffffffff8c004984\n#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba(CVE-2024-42077)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\niio: chemical: bme680: Fix overflows in compensate() functions\r\n\r\nThere are cases in the compensate functions of the driver that\nthere could be overflows of variables due to bit shifting ops.\nThese implications were initially discussed here [1] and they\nwere mentioned in log message of Commit 1b3bd8592780 (\u0026quot;iio:\nchemical: Add support for Bosch BME680 sensor\u0026quot;).\r\n\r\n[1]: https://lore.kernel.org/linux-iio/20180728114028.3c1bbe81@archlinux/(CVE-2024-42086)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER\r\n\r\nIn create_pinctrl(), pinctrl_maps_mutex is acquired before calling\nadd_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()\ncalls pinctrl_free(). However, pinctrl_free() attempts to acquire\npinctrl_maps_mutex, which is already held by create_pinctrl(), leading to\na potential deadlock.\r\n\r\nThis patch resolves the issue by releasing pinctrl_maps_mutex before\ncalling pinctrl_free(), preventing the deadlock.\r\n\r\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.(CVE-2024-42090)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ngpio: davinci: Validate the obtained number of IRQs\r\n\r\nValue of pdata-\u0026gt;gpio_unbanked is taken from Device Tree. In case of broken\nDT due to any error this value can be any. Without this value validation\nthere can be out of chips-\u0026gt;irqs array boundaries access in\ndavinci_gpio_probe().\r\n\r\nValidate the obtained nirq value so that it won\u0026apos;t exceed the maximum\nnumber of IRQs per bank.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.(CVE-2024-42092)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/iucv: Avoid explicit cpumask var allocation on stack\r\n\r\nFor CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask\nvariable on stack is not recommended since it can cause potential stack\noverflow.\r\n\r\nInstead, kernel code should always use *cpumask_var API(s) to allocate\ncpumask var in config-neutral way, leaving allocation strategy to\nCONFIG_CPUMASK_OFFSTACK.\r\n\r\nUse *cpumask_var API(s) to address it.(CVE-2024-42094)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nALSA: emux: improve patch ioctl data validation\r\n\r\nIn load_data(), make the validation of and skipping over the main info\nblock match that in load_guspatch().\r\n\r\nIn load_guspatch(), add checking that the specified patch length matches\nthe actually supplied data, like load_data() already did.(CVE-2024-42097)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnilfs2: add missing check for inode numbers on directory entries\r\n\r\nSyzbot reported that mounting and unmounting a specific pattern of\ncorrupted nilfs2 filesystem images causes a use-after-free of metadata\nfile inodes, which triggers a kernel bug in lru_add_fn().\r\n\r\nAs Jan Kara pointed out, this is because the link count of a metadata file\ngets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),\ntries to delete that inode (ifile inode in this case).\r\n\r\nThe inconsistency occurs because directories containing the inode numbers\nof these metadata files that should not be visible in the namespace are\nread without checking.\r\n\r\nFix this issue by treating the inode numbers of these internal files as\nerrors in the sanity check helper when reading directory folios/pages.\r\n\r\nAlso thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer\nanalysis.(CVE-2024-42104)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ninet_diag: Initialize pad field in struct inet_diag_req_v2\r\n\r\nKMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw\nsockets uses the pad field in struct inet_diag_req_v2 for the\nunderlying protocol. This field corresponds to the sdiag_raw_protocol\nfield in struct inet_diag_req_raw.\r\n\r\ninet_diag_get_exact_compat() converts inet_diag_req to\ninet_diag_req_v2, but leaves the pad field uninitialized. So the issue\noccurs when raw_lookup() accesses the sdiag_raw_protocol field.\r\n\r\nFix this by initializing the pad field in\ninet_diag_get_exact_compat(). Also, do the same fix in\ninet_diag_dump_compat() to avoid the similar issue in the future.\r\n\r\n[1]\nBUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]\nBUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_lookup net/ipv4/raw_diag.c:49 [inline]\n raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nUninit was stored to memory at:\n raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71\n raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99\n inet_diag_cmd_exact+0x7d9/0x980\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]\n inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\n netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x332/0x3d0 net/socket.c:745\n ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639\n __sys_sendmsg net/socket.c:2668 [inline]\n __do_sys_sendmsg net/socket.c:2677 [inline]\n __se_sys_sendmsg net/socket.c:2675 [inline]\n __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675\n x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\r\n\r\nLocal variable req.i created at:\n inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]\n inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426\n sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282\r\n\r\nCPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014(CVE-2024-42106)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njffs2: Fix potential illegal address access in jffs2_free_inode\r\n\r\nDuring the stress testing of the jffs2 file system,the following\nabnormal printouts were found:\n[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948\n[ 2430.649622] Mem abort info:\n[ 2430.649829]   ESR = 0x96000004\n[ 2430.650115]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 2430.650564]   SET = 0, FnV = 0\n[ 2430.650795]   EA = 0, S1PTW = 0\n[ 2430.651032]   FSC = 0x04: level 0 translation fault\n[ 2430.651446] Data abort info:\n[ 2430.651683]   ISV = 0, ISS = 0x00000004\n[ 2430.652001]   CM = 0, WnR = 0\n[ 2430.652558] [0069696969696948] address between user and kernel address ranges\n[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33\n[ 2430.655008] Hardware name: linux,dummy-virt (DT)\n[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 2430.656142] pc : kfree+0x78/0x348\n[ 2430.656630] lr : jffs2_free_inode+0x24/0x48\n[ 2430.657051] sp : ffff800009eebd10\n[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000\n[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000\n[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14\n[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000\n[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000\n[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19\n[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14\n[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302\n[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342\n[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000\n[ 2430.664217] Call trace:\n[ 2430.664528]  kfree+0x78/0x348\n[ 2430.664855]  jffs2_free_inode+0x24/0x48\n[ 2430.665233]  i_callback+0x24/0x50\n[ 2430.665528]  rcu_do_batch+0x1ac/0x448\n[ 2430.665892]  rcu_core+0x28c/0x3c8\n[ 2430.666151]  rcu_core_si+0x18/0x28\n[ 2430.666473]  __do_softirq+0x138/0x3cc\n[ 2430.666781]  irq_exit+0xf0/0x110\n[ 2430.667065]  handle_domain_irq+0x6c/0x98\n[ 2430.667447]  gic_handle_irq+0xac/0xe8\n[ 2430.667739]  call_on_irq_stack+0x28/0x54\nThe parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of\nthe jffs_inode_info structure. It was found that all variables in the jffs_inode_info\nstructure were 5a5a5a5a, except for the first member sem. It is suspected that these\nvariables are not initialized because they were set to 5a5a5a5a during memory testing,\nwhich is meant to detect uninitialized memory.The sem variable is initialized in the\nfunction jffs2_i_init_once, while other members are initialized in\nthe function jffs2_init_inode_info.\r\n\r\nThe function jffs2_init_inode_info is called after iget_locked,\nbut in the iget_locked function, the destroy_inode process is triggered,\nwhich releases the inode and consequently, the target member of the inode\nis not initialized.In concurrent high pressure scenarios, iget_locked\nmay enter the destroy_inode branch as described in the code.\r\n\r\nSince the destroy_inode functionality of jffs2 only releases the target,\nthe fix method is to set target to NULL in jffs2_i_init_once.(CVE-2024-42115)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Skip finding free audio for unknown engine_id\r\n\r\n[WHY]\nENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it\nalso means it is uninitialized and does not need free audio.\r\n\r\n[HOW]\nSkip and return NULL.\r\n\r\nThis fixes 2 OVERRUN issues reported by Coverity.(CVE-2024-42119)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nIB/core: Implement a limit on UMAD receive List\r\n\r\nThe existing behavior of ib_umad, which maintains received MAD\npackets in an unbounded list, poses a risk of uncontrolled growth.\nAs user-space applications extract packets from this list, the rate\nof extraction may not match the rate of incoming packets, leading\nto potential list overflow.\r\n\r\nTo address this, we introduce a limit to the size of the list. After\nconsidering typical scenarios, such as OpenSM processing, which can\nhandle approximately 100k packets per second, and the 1-second retry\ntimeout for most packets, we set the list size limit to 200k. Packets\nreceived beyond this limit are dropped, assuming they are likely timed\nout by the time they are handled by user-space.\r\n\r\nNotably, packets queued on the receive list due to reasons like\ntimed-out sends are preserved even when the list is full.(CVE-2024-42145)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: dsa: mv88e6xxx: Correct check for empty list\r\n\r\nSince commit a3c53be55c95 (\u0026quot;net: dsa: mv88e6xxx: Support multiple MDIO\nbusses\u0026quot;) mv88e6xxx_default_mdio_bus() has checked that the\nreturn value of list_first_entry() is non-NULL.\r\n\r\nThis appears to be intended to guard against the list chip-\u0026gt;mdios being\nempty.  However, it is not the correct check as the implementation of\nlist_first_entry is not designed to return NULL for empty lists.\r\n\r\nInstead, use list_first_entry_or_null() which does return NULL if the\nlist is empty.\r\n\r\nFlagged by Smatch.\nCompile tested only.(CVE-2024-42224)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\r\n\r\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n   need to have a separate value of 0xffffffff.(Christian)(CVE-2024-42228)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2408.2.0.0289.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","perf-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2408.2.0.0289.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","perf-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2408.2.0.0289.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1963"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-47202"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-33621"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40902"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40959"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41006"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41014"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41017"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41020"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41044"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41063"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41069"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41072"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41081"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41089"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41095"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41097"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42077"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42086"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42090"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42092"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42094"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42097"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42104"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42106"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42115"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42119"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42145"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42224"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42228"}],"database_specific":{"severity":"High"}}