{"schema_version":"1.7.2","id":"OESA-2024-2031","modified":"2024-08-23T11:08:54Z","published":"2024-08-23T11:08:54Z","upstream":["CVE-2024-26586","CVE-2024-26598","CVE-2024-36484","CVE-2024-36880","CVE-2024-36900","CVE-2024-36904","CVE-2024-36914","CVE-2024-36933","CVE-2024-36938","CVE-2024-38544","CVE-2024-38597","CVE-2024-39276","CVE-2024-40902","CVE-2024-40966","CVE-2024-41066","CVE-2024-41073","CVE-2024-41087","CVE-2024-41088","CVE-2024-42070","CVE-2024-42126","CVE-2024-42127","CVE-2024-42131","CVE-2024-42232","CVE-2024-42236","CVE-2024-42304","CVE-2024-42310","CVE-2024-43839"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmlxsw: spectrum_acl_tcam: Fix stack corruption\r\n\r\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\r\n\r\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\r\n\r\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\r\n\r\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\r\n\r\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\r\n\r\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26586)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\r\n\r\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\r\n\r\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.(CVE-2024-26598)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: relax socket state check at accept time.\r\n\r\nChristoph reported the following splat:\r\n\r\nWARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0\nModules linked in:\nCPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\nRIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759\nCode: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd \u0026lt;0f\u0026gt; 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80\nRSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293\nRAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64\nR10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000\nR13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800\nFS:  000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u0026lt;TASK\u0026gt;\n inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786\n do_accept+0x435/0x620 net/socket.c:1929\n __sys_accept4_file net/socket.c:1969 [inline]\n __sys_accept4+0x9b/0x110 net/socket.c:1999\n __do_sys_accept net/socket.c:2016 [inline]\n __se_sys_accept net/socket.c:2013 [inline]\n __x64_sys_accept+0x7d/0x90 net/socket.c:2013\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x4315f9\nCode: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00\nRSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b\nRAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300\nR10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055\n \u0026lt;/TASK\u0026gt;\r\n\r\nThe reproducer invokes shutdown() before entering the listener status.\nAfter commit 94062790aedb (\u0026quot;tcp: defer shutdown(SEND_SHUTDOWN) for\nTCP_SYN_RECV sockets\u0026quot;), the above causes the child to reach the accept\nsyscall in FIN_WAIT1 status.\r\n\r\nEric noted we can relax the existing assertion in __inet_accept()(CVE-2024-36484)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nBluetooth: qca: add missing firmware sanity checks\r\n\r\nAdd the missing sanity checks when parsing the firmware files before\ndownloading them to avoid accessing and corrupting memory beyond the\nvmalloced buffer.(CVE-2024-36880)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: hns3: fix kernel crash when devlink reload during initialization\r\n\r\nThe devlink reload process will access the hardware resources,\nbut the register operation is done before the hardware is initialized.\nSo, processing the devlink reload during initialization may lead to kernel\ncrash.\r\n\r\nThis patch fixes this by registering the devlink after\nhardware initialization.(CVE-2024-36900)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\r\n\r\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\r\n\r\nSince commit ec94c2696f0b (\u0026quot;tcp/dccp: avoid one atomic operation for\ntimewait hashdance\u0026quot;), inet_twsk_hashdance() sets TIME-WAIT socket\u0026apos;s\nsk_refcnt after putting it into ehash and releasing the bucket lock.\r\n\r\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\r\n\r\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\r\n\r\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\r\n\r\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u0026lt;0f\u0026gt; 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS:  00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \u0026lt;TASK\u0026gt;\n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n \u0026lt;/TASK\u0026gt;(CVE-2024-36904)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/amd/display: Skip on writeback when it\u0026apos;s not applicable\r\n\r\n[WHY]\ndynamic memory safety error detector (KASAN) catches and generates error\nmessages \u0026quot;BUG: KASAN: slab-out-of-bounds\u0026quot; as writeback connector does not\nsupport certain features which are not initialized.\r\n\r\n[HOW]\nSkip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK.(CVE-2024-36914)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnsh: Restore skb-\u0026gt;{protocol,data,mac_header} for outer header in nsh_gso_segment().\r\n\r\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\r\n\r\n  ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\r\n\r\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS.  As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\r\n\r\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\r\n\r\n  1. reset skb-\u0026gt;network_header\n  2. save the original skb-\u0026gt;{mac_heaeder,mac_len} in a local variable\n  3. pull the NSH header\n  4. resets skb-\u0026gt;mac_header\n  5. set up skb-\u0026gt;mac_len and skb-\u0026gt;protocol for the inner protocol.\r\n\r\nand does the following for the segmented skb\r\n\r\n  6. set ntohs(ETH_P_NSH) to skb-\u0026gt;protocol\n  7. push the NSH header\n  8. restore skb-\u0026gt;mac_header\n  9. set skb-\u0026gt;mac_header + mac_len to skb-\u0026gt;network_header\n 10. restore skb-\u0026gt;mac_len\r\n\r\nThere are two problems in 6-7 and 8-9.\r\n\r\n  (a)\n  After 6 \u0026amp; 7, skb-\u0026gt;data points to the NSH header, so the outer header\n  (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\r\n\r\n  Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n  skb_pull() in the first nsh_gso_segment() will make skb-\u0026gt;data point\n  to the middle of the outer NSH or Ethernet header because the Ethernet\n  header is not pulled by the second nsh_gso_segment().\r\n\r\n  (b)\n  While restoring skb-\u0026gt;{mac_header,network_header} in 8 \u0026amp; 9,\n  nsh_gso_segment() does not assume that the data in the linear\n  buffer is shifted.\r\n\r\n  However, udp6_ufo_fragment() could shift the data and change\n  skb-\u0026gt;mac_header accordingly as demonstrated by syzbot.\r\n\r\n  If this happens, even the restored skb-\u0026gt;mac_header points to\n  the middle of the outer header.\r\n\r\nIt seems nsh_gso_segment() has never worked with outer headers so far.\r\n\r\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\r\n\r\nTo do that, let\u0026apos;s calculate the outer header position relatively from\nthe inner header and set skb-\u0026gt;{data,mac_header,protocol} properly.\r\n\r\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\r\n\r\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---(CVE-2024-36933)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue\r\n\r\nFix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which\nsyzbot reported [1].\r\n\r\n[1]\nBUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue\r\n\r\nwrite to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1:\n sk_psock_stop_verdict net/core/skmsg.c:1257 [inline]\n sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843\n sk_psock_put include/linux/skmsg.h:459 [inline]\n sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648\n unix_release+0x4b/0x80 net/unix/af_unix.c:1048\n __sock_release net/socket.c:659 [inline]\n sock_close+0x68/0x150 net/socket.c:1421\n __fput+0x2c1/0x660 fs/file_table.c:422\n __fput_sync+0x44/0x60 fs/file_table.c:507\n __do_sys_close fs/open.c:1556 [inline]\n __se_sys_close+0x101/0x1b0 fs/open.c:1541\n __x64_sys_close+0x1f/0x30 fs/open.c:1541\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nread to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0:\n sk_psock_data_ready include/linux/skmsg.h:464 [inline]\n sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555\n sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606\n sk_psock_verdict_apply net/core/skmsg.c:1008 [inline]\n sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202\n unix_read_skb net/unix/af_unix.c:2546 [inline]\n unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682\n sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223\n unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x140/0x180 net/socket.c:745\n ____sys_sendmsg+0x312/0x410 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x1e9/0x280 net/socket.c:2667\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\r\n\r\nvalue changed: 0xffffffff83d7feb0 -\u0026gt; 0x0000000000000000\r\n\r\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G        W          6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\r\n\r\nPrior to this, commit 4cd12c6065df (\u0026quot;bpf, sockmap: Fix NULL pointer\ndereference in sk_psock_verdict_data_ready()\u0026quot;) fixed one NULL pointer\nsimilarly due to no protection of saved_data_ready. Here is another\ndifferent caller causing the same issue because of the same reason. So\nwe should protect it with sk_callback_lock read lock because the writer\nside in the sk_psock_drop() uses \u0026quot;write_lock_bh(\u0026amp;sk-\u0026gt;sk_callback_lock);\u0026quot;.\r\n\r\nTo avoid errors that could happen in future, I move those two pairs of\nlock into the sk_psock_data_ready(), which is suggested by John Fastabend.(CVE-2024-36938)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nRDMA/rxe: Fix seg fault in rxe_comp_queue_pkt\r\n\r\nIn rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the\nresp_pkts queue and then a decision is made whether to run the completer\ntask inline or schedule it. Finally the skb is dereferenced to bump a \u0026apos;hw\u0026apos;\nperformance counter. This is wrong because if the completer task is\nalready running in a separate thread it may have already processed the skb\nand freed it which can cause a seg fault.  This has been observed\ninfrequently in testing at high scale.\r\n\r\nThis patch fixes this by changing the order of enqueuing the packet until\nafter the counter is accessed.(CVE-2024-38544)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\neth: sungem: remove .ndo_poll_controller to avoid deadlocks\r\n\r\nErhard reports netpoll warnings from sungem:\r\n\r\n  netpoll_send_skb_on_dev(): eth0 enabled interrupts in poll (gem_start_xmit+0x0/0x398)\n  WARNING: CPU: 1 PID: 1 at net/core/netpoll.c:370 netpoll_send_skb+0x1fc/0x20c\r\n\r\ngem_poll_controller() disables interrupts, which may sleep.\nWe can\u0026apos;t sleep in netpoll, it has interrupts disabled completely.\nStrangely, gem_poll_controller() doesn\u0026apos;t even poll the completions,\nand instead acts as if an interrupt has fired so it just schedules\nNAPI and exits. None of this has been necessary for years, since\nnetpoll invokes NAPI directly.(CVE-2024-38597)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: fix mb_cache_entry\u0026apos;s e_refcnt leak in ext4_xattr_block_cache_find()\r\n\r\nSyzbot reports a warning as follows:\r\n\r\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \u0026lt;TASK\u0026gt;\n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\r\n\r\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce\u0026apos;s e_refcnt, which has already grown\nin the __entry_find(), won\u0026apos;t be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\r\n\r\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.(CVE-2024-39276)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\njfs: xattr: fix buffer overflow for invalid xattr\r\n\r\nWhen an xattr size is not what is expected, it is printed out to the\nkernel log in hex format as a form of debugging.  But when that xattr\nsize is bigger than the expected size, printing it out can cause an\naccess off the end of the buffer.\r\n\r\nFix this all up by properly restricting the size of the debug hex dump\nin the kernel log.(CVE-2024-40902)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ntty: add the option to have a tty reject a new ldisc\r\n\r\n... and use it to limit the virtual terminals to just N_TTY.  They are\nkind of special, and in particular, the \u0026quot;con_write()\u0026quot; routine violates\nthe \u0026quot;writes cannot sleep\u0026quot; rule that some ldiscs rely on.\r\n\r\nThis avoids the\r\n\r\n   BUG: sleeping function called from invalid context at kernel/printk/printk.c:2659\r\n\r\nwhen N_GSM has been attached to a virtual console, and gsmld_write()\ncalls con_write() while holding a spinlock, and con_write() then tries\nto get the console lock.(CVE-2024-40966)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nibmvnic: Add tx check to prevent skb leak\r\n\r\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n    tx_buff[free_map[consumer_index]]-\u0026gt;skb = new_skb;\n    free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n    consumer_index ++;\nWhere variable data looks like this:\n    free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n                                               \tconsumer_index^\n    tx_buff == [skb=null, skb=\u0026lt;ptr\u0026gt;, skb=\u0026lt;ptr\u0026gt;, skb=null, skb=null]\r\n\r\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\r\n\r\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems.(CVE-2024-41066)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme: avoid double free special payload\r\n\r\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned.(CVE-2024-41073)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nata: libata-core: Fix double free on error\r\n\r\nIf e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump\nto the err_out label, which will call devres_release_group().\ndevres_release_group() will trigger a call to ata_host_release().\nata_host_release() calls kfree(host), so executing the kfree(host) in\nata_host_alloc() will lead to a double free:\r\n\r\nkernel BUG at mm/slub.c:553!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:kfree+0x2cf/0x2f0\nCode: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da\nRSP: 0018:ffffc90000f377f0 EFLAGS: 00010246\nRAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320\nRDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0\nRBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780\nR13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006\nFS:  00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \u0026lt;TASK\u0026gt;\n ? __die_body.cold+0x19/0x27\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x6a/0x90\n ? kfree+0x2cf/0x2f0\n ? exc_invalid_op+0x50/0x70\n ? kfree+0x2cf/0x2f0\n ? asm_exc_invalid_op+0x1a/0x20\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? ata_host_alloc+0xf5/0x120 [libata]\n ? kfree+0x2cf/0x2f0\n ata_host_alloc+0xf5/0x120 [libata]\n ata_host_alloc_pinfo+0x14/0xa0 [libata]\n ahci_init_one+0x6c9/0xd20 [ahci]\r\n\r\nEnsure that we will not call kfree(host) twice, by performing the kfree()\nonly if the devres_open_group() call failed.(CVE-2024-41087)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: mcp251xfd: fix infinite loop when xmit fails\r\n\r\nWhen the mcp251xfd_start_xmit() function fails, the driver stops\nprocessing messages, and the interrupt routine does not return,\nrunning indefinitely even after killing the running application.\r\n\r\nError messages:\n[  441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16\n[  441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3).\n... and repeat forever.\r\n\r\nThe issue can be triggered when multiple devices share the same SPI\ninterface. And there is concurrent access to the bus.\r\n\r\nThe problem occurs because tx_ring-\u0026gt;head increments even if\nmcp251xfd_start_xmit() fails. Consequently, the driver skips one TX\npackage while still expecting a response in\nmcp251xfd_handle_tefif_one().\r\n\r\nResolve the issue by starting a workqueue to write the tx obj\nsynchronously if err = -EBUSY. In case of another error, decrement\ntx_ring-\u0026gt;head, remove skb from the echo stack, and drop the message.\r\n\r\n[mkl: use more imperative wording in patch description](CVE-2024-41088)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\r\n\r\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers.(CVE-2024-42070)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\npowerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.\r\n\r\nnmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel\ncrash when invoked during real mode interrupt handling (e.g. early HMI/MCE\ninterrupt handler) if percpu allocation comes from vmalloc area.\r\n\r\nEarly HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()\nwrapper which invokes nmi_enter/nmi_exit calls. We don\u0026apos;t see any issue when\npercpu allocation is from the embedded first chunk. However with\nCONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu\nallocation can come from the vmalloc area.\r\n\r\nWith kernel command line \u0026quot;percpu_alloc=page\u0026quot; we can force percpu allocation\nto come from vmalloc area and can see kernel crash in machine_check_early:\r\n\r\n[    1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110\n[    1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0\n[    1.215719] --- interrupt: 200\n[    1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)\n[    1.215722] [c000000fffd731b0] [0000000000000000] 0x0\n[    1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8\r\n\r\nFix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu\nfirst chunk is not embedded.(CVE-2024-42126)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/lima: fix shared irq handling on driver remove\r\n\r\nlima uses a shared interrupt, so the interrupt handlers must be prepared\nto be called at any time. At driver removal time, the clocks are\ndisabled early and the interrupts stay registered until the very end of\nthe remove process due to the devm usage.\nThis is potentially a bug as the interrupts access device registers\nwhich assumes clocks are enabled. A crash can be triggered by removing\nthe driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.\nThis patch frees the interrupts at each lima device finishing callback\nso that the handlers are already unregistered by the time we fully\ndisable clocks.(CVE-2024-42127)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm: avoid overflows in dirty throttling logic\r\n\r\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits).  If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc.  Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway.  For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits.  For dirty_ratio / dirty_background_ratio it isn\u0026apos;t so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc.  So when converting dirty\nlimits from ratios to numbers of pages, we just don\u0026apos;t allow the result to\nexceed UINT_MAX.\r\n\r\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to \u0026gt;16 TB.(CVE-2024-42131)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nlibceph: fix race between delayed_work() and ceph_monc_stop()\r\n\r\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting().  Both of\nthese can requeue the delayed work which wouldn\u0026apos;t be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn\u0026apos;t mess with the delayed work in order\nto avoid interfering with the hunting interval logic.  This part was\nmissed in commit b5d91704f53e (\u0026quot;libceph: behave in mon_fault() if\ncur_mon \u0026lt; 0\u0026quot;) and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc-\u0026gt;auth and monc-\u0026gt;monmap being\nparticularly susceptible to quickly being reused.\r\n\r\nTo fix this:\r\n\r\n- clear monc-\u0026gt;cur_mon and monc-\u0026gt;hunting as part of closing the session\n  in ceph_monc_stop()\n- bail from delayed_work() if monc-\u0026gt;cur_mon is cleared, similar to how\n  it\u0026apos;s done in mon_fault() and finish_hunting() (based on monc-\u0026gt;hunting)\n- call cancel_delayed_work_sync() after the session is closed(CVE-2024-42232)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: gadget: configfs: Prevent OOB read/write in usb_string_copy()\r\n\r\nUserspace provided string \u0026apos;s\u0026apos; could trivially have the length zero. Left\nunchecked this will firstly result in an OOB read in the form\n`if (str[0 - 1] == \u0026apos;\\n\u0026apos;) followed closely by an OOB write in the form\n`str[0 - 1] = \u0026apos;\\0\u0026apos;`.\r\n\r\nThere is already a validating check to catch strings that are too long.\nLet\u0026apos;s supply an additional check for invalid strings that are too short.(CVE-2024-42236)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\next4: make sure the first directory block is not a hole\r\n\r\nThe syzbot constructs a directory that has no dirblock but is non-inline,\ni.e. the first directory block is a hole. And no errors are reported when\ncreating files in this directory in the following flow.\r\n\r\n    ext4_mknod\n     ...\n      ext4_add_entry\n        // Read block 0\n        ext4_read_dirblock(dir, block, DIRENT)\n          bh = ext4_bread(NULL, inode, block, 0)\n          if (!bh \u0026amp;\u0026amp; (type == INDEX || type == DIRENT_HTREE))\n          // The first directory block is a hole\n          // But type == DIRENT, so no error is reported.\r\n\r\nAfter that, we get a directory block without \u0026apos;.\u0026apos; and \u0026apos;..\u0026apos; but with a valid\ndentry. This may cause some code that relies on dot or dotdot (such as\nmake_indexed_dir()) to crash.\r\n\r\nTherefore when ext4_read_dirblock() finds that the first directory block\nis a hole report that the filesystem is corrupted and return an error to\navoid loading corrupted data from disk causing something bad.(CVE-2024-42304)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndrm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes\r\n\r\nIn cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference on\nfailure of drm_mode_duplicate(). Add a check to avoid npd.(CVE-2024-42310)\r\n\r\nIn the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbna: adjust \u0026apos;name\u0026apos; buf size of bna_tcb and bna_ccb structures\r\n\r\nTo have enough space to write all possible sprintf() args. Currently\n\u0026apos;name\u0026apos; size is 16, but the first \u0026apos;%s\u0026apos; specifier may already need at\nleast 16 characters, since \u0026apos;bnad-\u0026gt;netdev-\u0026gt;name\u0026apos; is used there.\r\n\r\nFor \u0026apos;%d\u0026apos; specifiers, assume that they require:\n * 1 char for \u0026apos;tx_id + tx_info-\u0026gt;tcb[i]-\u0026gt;id\u0026apos; sum, BNAD_MAX_TXQ_PER_TX is 8\n * 2 chars for \u0026apos;rx_id + rx_info-\u0026gt;rx_ctrl[i].ccb-\u0026gt;id\u0026apos;, BNAD_MAX_RXP_PER_RX\n   is 16\r\n\r\nAnd replace sprintf with snprintf.\r\n\r\nDetected using the static analysis tool - Svace.(CVE-2024-43839)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-136.90.0.171.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-debuginfo-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-debugsource-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-devel-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-headers-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-source-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-tools-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-tools-debuginfo-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","kernel-tools-devel-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","perf-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","perf-debuginfo-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","python3-perf-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm","python3-perf-debuginfo-5.10.0-136.90.0.171.oe2203sp1.aarch64.rpm"],"src":["kernel-5.10.0-136.90.0.171.oe2203sp1.src.rpm"],"x86_64":["kernel-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-debuginfo-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-debugsource-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-devel-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-headers-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-source-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-tools-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-tools-debuginfo-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","kernel-tools-devel-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","perf-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","perf-debuginfo-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","python3-perf-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm","python3-perf-debuginfo-5.10.0-136.90.0.171.oe2203sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2031"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26586"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26598"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36484"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36880"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36900"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36904"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36914"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36933"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36938"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38544"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38597"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39276"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40902"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40966"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41066"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41073"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41087"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41088"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42070"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42126"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42127"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42131"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42232"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42236"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42304"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42310"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43839"}],"database_specific":{"severity":"High"}}