https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f65886606c2d3b562716de030706dfe1bea4ed5e

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.8.10

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4356 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4140 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4356 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4140 advisory.

  - kernel: Intel graphics card information leak. (CVE-2019-14615)

  - kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427)

  - kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)

  - kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)

  - kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)

  - kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)

  - kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)

  - kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)

  - kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)

  - kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)

  - kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)

  - kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)

  - kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)

  - kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)

  - kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)

  - kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)

  - kernel: the copy-on-write implementation can grant unintended write access because of a race condition in     a THP mapcount check (CVE-2020-29368)

  - kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-     after-free (CVE-2020-29660)

  - kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in     drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value (CVE-2020-36158)

  - kernel: memory leak upon a kmalloc failure in kvm_io_bus_unregister_dev function in virt/kvm/kvm_main.c     (CVE-2020-36312)

  - kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() in net/bluetooth/hci_event.c     (CVE-2020-36386)

  - kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)

  - kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)

  - kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)

  - kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)

  - kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode     (CVE-2021-28950)

  - kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)

  - kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds     loads can be bypassed to leak content of kernel memory (CVE-2021-29155)

  - kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)

  - kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c     and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

  - kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)

  - kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content     of kernel memory (CVE-2021-31829)

  - kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

  - kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c (CVE-2021-33033)

  - kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations     by BPF verifier (CVE-2021-33200)

  - kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)

  - kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)

  - kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)

  - kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)

  - kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)

  - kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)

  - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)

  - kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)

  - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files     (CVE-2021-3732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):kernel/bpf/verifier.c in     the Linux kernel through 5.12.7 enforces incorrect     limits for pointer arithmetic operations, aka     CID-bb01a1bba579. This can be abused to perform     out-of-bounds reads and writes in kernel memory,     leading to local privilege escalation to root. In     particular, there is a corner case where the off reg     causes a masking direction change, which then results     in an incorrect final aux->alu_limit.(CVE-2021-33200)A     vulnerability was found in Linux Kernel where refcount     leak in llcp_sock_bind() causing use-after-free which     might lead to privilege escalations.(CVE-2020-25670)A     vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)A memory leak vulnerability     was found in Linux kernel in     llcp_sock_connect(CVE-2020-25672)An out-of-bounds (OOB)     memory access flaw was found in fs/f2fs/ Node.c in the     f2fs module in the Linux kernel in versions before     5.12.0-rc4. A bounds check failure allows a local     attacker to gain access to out-of-bounds memory leading     to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to system availability.(CVE-2021-3506)The Linux     kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194,     and 4.19.x before 4.19.140 has a use-after-free because     skcd->no_refcnt was not considered during a backport of     a CVE-2020-14356 patch. This is related to the cgroups     feature.(CVE-2020-25220)The Linux kernel before 5.11.14     has a use-after-free in cipso_v4_genopt in     net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO     refcounting for the DOI definitions is mishandled, aka     CID-ad5d07f4a9cd. This leads to writing an arbitrary     value.(CVE-2021-33033)kernel/bpf/verifier.c in the     Linux kernel through 5.12.1 performs undesirable     speculative loads, leading to disclosure of stack     content via side-channel attacks, aka CID-801c6058d14a.
    The specific concern is not protecting the BPF stack     area against speculative loads. Also, the BPF stack can     contain uninitialized data that might represent     sensitive information previously operated on by the     kernel.(CVE-2021-31829)An issue was discovered in     fs/fuse/fuse_i.h in the Linux kernel before 5.11.8.
    A(CVE-2021-28950)net/bluetooth/hci_request.c in the     Linux kernel through 5.12.2 has a race condition for     removal of the HCI controller.(CVE-2021-32399)In the     Linux kernel before 5.12.4, net/bluetooth/hci_event.c     has a use-after-free when destroying an hci_chan, aka     CID-5c4c8c954409. This leads to writing an arbitrary     value.(CVE-2021-33034)An out-of-bounds (OOB) memory     write flaw was found in list_devices in     drivers/md/dm-ioctl.c in the Multi-device driver module     in the Linux kernel before 5.12. A bound check failure     allows an attacker with special user (CAP_SYS_ADMIN)     privilege to gain access to out-of-bounds memory     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to system availability.(CVE-2021-31916)Use After     Free vulnerability in nfc sockets in the Linux Kernel     before 5.12.4 allows local attackers to elevate their     privileges. In typical configurations, the issue can     only be triggered by a privileged local user with the     CAP_NET_RAW capability.(CVE-2021-23134)An issue was     discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)An issue was     discovered in the Linux kernel before 5.8.10.
    virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev     memory leak upon a kmalloc failure, aka     CID-f65886606c2d.(CVE-2020-36312)The bpf verifier in     the Linux kernel did not properly handle mod32     destination register truncation when the source     register was known to be 0. A local attacker with the     ability to load bpf programs could use this gain     out-of-bounds reads in kernel memory leading to     information disclosure (kernel memory), and possibly     out-of-bounds writes that could potentially lead to     code execution. This issue was addressed in the     upstream kernel in commit 9b00f1b78809 ('bpf: Fix     truncation handling for mod32 dst reg wrt zero') and in     Linux stable kernels 5.11.2, 5.10.19, and     5.4.101.(CVE-2021-3444)An issue was discovered in the     Linux kernel through 5.11.x. kernel/bpf/verifier.c     performs undesirable out-of-bounds speculation on     pointer arithmetic, leading to side-channel attacks     that defeat Spectre mitigations and obtain sensitive     information from kernel memory. Specifically, for     sequences of pointer arithmetic operations, the pointer     modification performed by the first operation is not     correctly accounted for when restricting subsequent     operations.(CVE-2021-29155)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1977-1 advisory.

  - An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in security/apparmor/audit.c. (CVE-2019-18814)

  - In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function     (related to include/trace/events/lock.h). (CVE-2019-19769)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
    (CVE-2020-27673)

  - A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-35519)

  - An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a     set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
    (CVE-2020-36310)

  - An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering     many encrypted regions), aka CID-7be74942f184. (CVE-2020-36311)

  - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in     the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local     user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system availability. (CVE-2021-20268)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went too far and may under certain conditions also     overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking     persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,     leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device     driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This     has been fixed in 5.12-rc4.) (CVE-2021-28952)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6. (CVE-2021-29264)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel memory because of a partially uninitialized data     structure, aka CID-50535249f624. (CVE-2021-29647)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly     update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and     therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const     subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do     explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a     verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1975-1 advisory.

  - An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in security/apparmor/audit.c. (CVE-2019-18814)

  - In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function     (related to include/trace/events/lock.h). (CVE-2019-19769)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
    (CVE-2020-27673)

  - A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-35519)

  - An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a     set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
    (CVE-2020-36310)

  - An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering     many encrypted regions), aka CID-7be74942f184. (CVE-2020-36311)

  - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in     the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local     user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system availability. (CVE-2021-20268)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went too far and may under certain conditions also     overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking     persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,     leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device     driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This     has been fixed in 5.12-rc4.) (CVE-2021-28952)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6. (CVE-2021-29264)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel memory because of a partially uninitialized data     structure, aka CID-50535249f624. (CVE-2021-29647)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly     update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and     therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const     subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do     explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a     verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in fs/fuse/fuse_i.h in the     Linux kernel before 5.11.8. A 'stall on CPU' can occur     because a retry loop continually finds the same bad     inode, aka CID-775c5033a0d1.(CVE-2021-28950)

  - An issue was discovered in the Linux kernel before     5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc     failure, aka CID-f65886606c2d.(CVE-2020-36312)

  - An issue was discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)

  - An out-of-bounds (OOB) memory access flaw was found in     fs/f2fs/node.c in the f2fs module in the Linux kernel     in versions before 5.12.0-rc4. A bounds check failure     allows a local attacker to gain access to out-of-bounds     memory leading to a system crash or a leak of internal     kernel information. The highest threat from this     vulnerability is to system availability.(CVE-2021-3506)

  - An out-of-bounds (OOB) memory write flaw was found in     list_devices in drivers/md/dm-ioctl.c in the     Multi-device driver module in the Linux kernel before     5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access     to out-of-bounds memory leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to system     availability.(CVE-2021-31916)

  - An issue was discovered in the Linux kernel through     5.2.13. nbd_genl_status in drivers/block/nbd.c does not     check the nla_nest_start_noflag return     value.(CVE-2019-16089)

  - The bpf verifier in the Linux kernel did not properly     handle mod32 destination register truncation when the     source register was known to be 0. A local attacker     with the ability to load bpf programs could use this     gain out-of-bounds reads in kernel memory leading to     information disclosure (kernel memory), and possibly     out-of-bounds writes that could potentially lead to     code execution. This issue was addressed in the     upstream kernel in commit 9b00f1b78809 ('bpf: Fix     truncation handling for mod32 dst reg wrt zero') and in     Linux stable kernels 5.11.2, 5.10.19, and     5.4.101.(CVE-2021-3444)

  - An issue was discovered in the Linux kernel through     5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification     performed by the first operation is not correctly     accounted for when restricting subsequent     operations.(CVE-2021-29155)

  - kernel/bpf/verifier.c in the Linux kernel through     5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel     attacks, aka CID-801c6058d14a. The specific concern is     not protecting the BPF stack area against speculative     loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information     previously operated on by the kernel.(CVE-2021-31829)

  - net/bluetooth/hci_request.c in the Linux kernel through     5.12.2 has a race condition for removal of the HCI     controller.(CVE-2021-32399)

  - In the Linux kernel before 5.12.4,     net/bluetooth/hci_event.c has a use-after-free when     destroying an hci_chan, aka CID-5c4c8c954409. This     leads to writing an arbitrary value.(CVE-2021-33034)

  - The Linux kernel before 5.11.14 has a use-after-free in     cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the     CIPSO and CALIPSO refcounting for the DOI definitions     is mishandled, aka CID-ad5d07f4a9cd. This leads to     writing an arbitrary value.(CVE-2021-33033)

  - Use After Free vulnerability in nfc sockets in the     Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations,     the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability.(CVE-2021-23134)

  - A memory leak vulnerability was found in Linux kernel     in llcp_sock_connect(CVE-2020-25672)

  - A vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)

  - A vulnerability was found in Linux Kernel where     refcount leak in llcp_sock_bind() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25670)

  - kernel/bpf/verifier.c in the Linux kernel through     5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to     perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root.
    In particular, there is a corner case where the off reg     causes a masking direction change, which then results     in an incorrect final aux->alu_limit.(CVE-2021-33200)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):A vulnerability was found     in the Linux Kernel where the function sunkbd_reinit     having been scheduled by sunkbd_interrupt before sunkbd     being freed. Though the dangling pointer is set to NULL     in sunkbd_disconnect, there is still an alias in     sunkbd_reinit causing Use After Free.(CVE-2020-25669)An     issue was discovered in the Linux kernel through 5.9.1,     as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel     removal during the event-handling loop (a race     condition). This can cause a use-after-free or NULL     pointer dereference, as demonstrated by a dom0 crash     via events for an in-reconfiguration paravirtualized     device, aka CID-073d0552ead5.(CVE-2020-27675)An issue     was discovered in the Linux kernel through 5.9.1, as     used with Xen through 4.14.x. Guest OS users can cause     a denial of service (host OS hang) via a high rate of     events to dom0, aka CID-e99502f76271.(CVE-2020-27673)An     issue was discovered in __split_huge_pmd in     mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write     access because of a race condition in a THP mapcount     check, aka CID-c444eb564fb1.(CVE-2020-29368)An issue     was discovered in     drivers/accessibility/speakup/spk_ttyio.c in the Linux     kernel through 5.9.9. Local attackers on systems with     the speakup driver could cause a local denial of     service attack, aka CID-d41227544427. This occurs     because of an invalid free when the line discipline is     used more than once.(CVE-2020-28941)** DISPUTED **     fsfsd fs3xdr.c in the Linux kernel through 5.10.8, when     there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)An issue was discovered in the     Linux kernel through 5.11.3.
    drivers/scsi/scsi_transport_iscsi.c is adversely     affected by the ability of an unprivileged user to     craft Netlink messages.(CVE-2021-27364)An issue was     discovered in the Linux kernel through 5.11.3. A kernel     pointer leak can be used to determine the address of     the iscsi_transport structure. When an iSCSI transport     is registered with the iSCSI subsystem, the transport's     handle is available to unprivileged users via the sysfs     file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)ntfs_read_locked_inode     in the ntfs.ko filesystem driver in the Linux kernel     4.15.0 allows attackers to trigger a use-after-free     read and possibly cause a denial of service (kernel     oops or panic) via a crafted ntfs     filesystem.(CVE-2018-12929)In the Linux kernel 4.15.0,     a NULL pointer dereference was discovered in     hfs_ext_read_extent in hfs.ko. This can occur during a     mount of a crafted hfs     filesystem.(CVE-2018-12928)rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)There is a flaw reported in the     Linux kernel in versions before 5.9 in drivers/gpu/drm     ouveau ouveau_sgdma.c in nouveau_sgdma_create_ttm in     Nouveau DRM subsystem. The issue results from the lack     of validating the existence of an object prior to     performing operations on the object. An attacker with a     local account with a root privilege, can leverage this     vulnerability to escalate privileges and execute code     in the context of the kernel.(CVE-2021-20292)A flaw was     found in the Nosy driver in the Linux kernel. This     issue allows a device to be inserted twice into a     doubly-linked list, leading to a use-after-free when     one of these devices is removed. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)In     drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition     was discovered in get_old_root in fs/btrfs/ctree.c in     the Linux kernel through 5.11.8. It allows attackers to     cause a denial of service (BUG) because of a lack of     locking on an extent buffer before a cloning operation,     aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was     discovered in the Linux kernel before 5.11.7.
    usbip_sockfd_store in drivers/usb/usbip/stub_dev.c     allows attackers to cause a denial of service (GPF)     because the stub-up sequence has race conditions during     an update of the local and shared status, aka     CID-9380afd6df70.(CVE-2021-29265)The fix for XSA-365     includes initialization of pointers such that     subsequent cleanup code wouldn't use uninitialized or     stale values. This initialization went too far and may     under certain conditions also overwrite pointers which     are in need of cleaning up. The lack of cleanup would     result in leaking persistent grants. The leak in turn     would prevent fully cleaning up after a respective     guest has died, leaving around zombie domains. All     Linux versions having the fix for XSA-365 applied are     vulnerable. XSA-365 was classified to affect versions     back to at least 3.11.(CVE-2021-28688)An issue was     discovered in the Linux kernel before 5.11.3 when a     webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)An issue was     discovered in the Linux kernel before 5.8.10.
    virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev     memory leak upon a kmalloc failure, aka     CID-f65886606c2d.(CVE-2020-36312)An issue was     discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)An issue was     discovered in the Linux kernel before 5.11.11.
    qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to     obtain sensitive information from kernel memory because     of a partially uninitialized data structure, aka     CID-50535249f624.(CVE-2021-29647)An issue was     discovered in the Linux kernel through 5.11.10.
    driverset/ethernet/freescale/gianfar.c in the Freescale     Gianfar Ethernet driver allows attackers to cause a     system crash because a negative fragment size is     calculated in situations involving an rx queue overrun     when jumbo packets are used and NAPI is enabled, aka     CID-d8861bab48b6.(CVE-2021-29264)An out-of-bounds (OOB)     memory access flaw was found in x25_bind in     net/x25/af_x25.c in the Linux kernel version v5.12-rc5.
    A bounds check failure allows a local attacker with a     user account on the system to gain access to     out-of-bounds memory, leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2020-35519)An issue was discovered in     the Linux kernel before 5.11.8. kernel/bpf/verifier.c     has an off-by-one error (with a resultant integer     underflow) affecting out-of-bounds speculation on     pointer arithmetic, leading to side-channel attacks     that defeat Spectre mitigations and obtain sensitive     information from kernel memory, aka     CID-10d2bb2e6b1d.(CVE-2020-27171)An issue was     discovered in the Linux kernel before 5.11.8.
    kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a     ptr_limit.(CVE-2020-27170)BPF JIT compilers in the     Linux kernel through 5.11.12 have incorrect computation     of branch displacements, allowing them to execute     arbitrary code within the kernel context. This affects     arch/x86 et/bpf_jit_comp.c and arch/x86     et/bpf_jit_comp32.c.(CVE-2021-29154)A race condition in     Linux kernel SCTP sockets (net/sctp/socket.c) before     5.12-rc8 can lead to kernel privilege escalation from     the context of a network service or an unprivileged     process. If sctp_destroy_sock is called without     sock_net(sk)->sctp.addr_wq_lock then an element is     removed from the auto_asconf_splist list without any     proper locking. This can be exploited by an attacker     with network service privileges to escalate to root or     from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies     creation of some SCTP socket.(CVE-2021-23133)An issue     was discovered in the FUSE filesystem implementation in     the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.
    fuse_do_getattr() calls make_bad_inode() in     inappropriate situations, causing a system crash. NOTE:
    the original fix for this vulnerability was incomplete,     and its incompleteness is tracked as     CVE-2021-28950.(CVE-2020-36322)An out-of-bounds (OOB)     memory write flaw was found in list_devices in     drivers/md/dm-ioctl.c in the Multi-device driver module     in the Linux kernel before 5.12. A bound check failure     allows an attacker with special user (CAP_SYS_ADMIN)     privilege to gain access to out-of-bounds memory     leading to a system crash or a leak of internal kernel     information. The highest threat from this vulnerability     is to system availability.(CVE-2021-31916)An issue was     discovered in the Linux kernel through 5.11.x.
    kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification     performed by the first operation is not correctly     accounted for when restricting subsequent     operations.(CVE-2021-29155)kernel/bpf/verifier.c in the     Linux kernel through 5.12.1 performs undesirable     speculative loads, leading to disclosure of stack     content via side-channel attacks, aka CID-801c6058d14a.
    The specific concern is not protecting the BPF stack     area against speculative loads. Also, the BPF stack can     contain uninitialized data that might represent     sensitive information previously operated on by the     kernel.(CVE-2021-31829)The Linux kernel before 5.11.14     has a use-after-free in cipso_v4_genopt in     net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO     refcounting for the DOI definitions is mishandled, aka     CID-ad5d07f4a9cd. This leads to writing an arbitrary     value.(CVE-2021-33033)kernel/bpf/verifier.c in the     Linux kernel through 5.12.7 enforces incorrect limits     for pointer arithmetic operations, aka     CID-bb01a1bba579. This can be abused to perform     out-of-bounds reads and writes in kernel memory,     leading to local privilege escalation to root. In     particular, there is a corner case where the off reg     causes a masking direction change, which then results     in an incorrect final aux->alu_limit.(CVE-2021-33200)An     issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2021-3483)

  - An issue was discovered in the Linux kernel before     5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)

  - An issue was discovered in the FUSE filesystem     implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls     make_bad_inode() in inappropriate situations, causing a     system crash. NOTE: the original fix for this     vulnerability was incomplete, and its incompleteness is     tracked as CVE-2021-28950.(CVE-2020-36322)

  - There is a flaw reported in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - An issue was discovered in the Linux kernel before 5.8.
    arch/x86/kvm/svm/svm.c allows a set_memory_region_test     infinite loop for certain nested page faults, aka     CID-e72436bc3a52.(CVE-2020-36310)

  - A race condition was found in the Linux kernel in     sctp_destroy_sock. If sctp_destroy_sock is called     without sock_net(sk)->sctp.addr_wq_lock held and     sp->do_auto_asconf is true, then an element is removed     from the auto_asconf_splist without any proper locking.
    This can lead to kernel privilege escalation from the     context of a network service or from an unprivileged     process if certain conditions are met.(CVE-2021-23133)

  - In intel_pmu_drain_pebs_nhm in     arch/x86/events/intel/ds.c in the Linux kernel through     5.11.8 on some Haswell CPUs, userspace applications     (such as perf-fuzzer) can cause a system crash because     the PEBS status in a PEBS record is mishandled, aka     CID-d88d05a9e0b6.(CVE-2021-28971)

  - BPF JIT compilers in the Linux kernel through 5.11.12     have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the     kernel context. This affects     arch/x86/net/bpf_jit_comp.c and     arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)

  - An issue was discovered in the Linux kernel before     5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel     memory because of a partially uninitialized data     structure, aka CID-50535249f624.(CVE-2021-29647)

  - An issue was discovered in the Linux kernel before 5.7.
    The KVM subsystem allows out-of-range access to     memslots after a deletion, aka CID-0774a964ef56. This     affects arch/s390/kvm/kvm-s390.c,     include/linux/kvm_host.h, and     virt/kvm/kvm_main.c.(CVE-2020-36313)

  - A race condition was discovered in get_old_root in     fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG)     because of a lack of locking on an extent buffer before     a cloning operation, aka     CID-dbcc7d57bffc.(CVE-2021-28964)

  - An issue was discovered in the Linux kernel through     5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers     to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue     overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6.(CVE-2021-29264)

  - An issue was discovered in the Linux kernel before     5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory, aka CID-10d2bb2e6b1d.(CVE-2020-27171)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel. A     bounds check failure allows a local attacker with a     user account on the system to gain access to     out-of-bounds memory, leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2020-35519)

  - An issue was discovered in the Linux kernel before     5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because     net/netfilter/x_tables.c and     include/linux/netfilter/x_tables.h lack a full memory     barrier upon the assignment of a new table value, aka     CID-175e476b8cdf.(CVE-2021-29650)

  - rtw_wx_set_scan in     drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the     Linux kernel through 5.11.6 allows writing beyond the     end of the ->ssid[] array. NOTE: from the perspective     of kernel.org releases, CVE IDs are not normally used     for drivers/staging/* (unfinished work) however, system     integrators may have situations in which a     drivers/staging issue is relevant to their own customer     base.(CVE-2021-28660)

  - An issue was discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)

  - An issue was discovered in the Linux kernel before     5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc     failure, aka CID-f65886606c2d.(CVE-2020-36312)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in the Linux kernel before     5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause     a denial of service (GPF) because the stub-up sequence     has race conditions during an update of the local and     shared status, aka CID-9380afd6df70.(CVE-2021-29265)

  - A race condition was discovered in get_old_root in     fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG)     because of a lack of locking on an extent buffer before     a cloning operation, aka     CID-dbcc7d57bffc.(CVE-2021-28964)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)

  - An issue was discovered in the Linux kernel before     5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc     failure, aka CID-f65886606c2d.(CVE-2020-36312)

  - An issue was discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering     destruction of a large SEV VM (which requires     unregistering many encrypted regions), aka     CID-7be74942f184.(CVE-2020-36311)

  - BPF JIT compilers in the Linux kernel through 5.11.12     have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the     kernel context. This affects     arch/x86/net/bpf_jit_comp.c and     arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)

  - An issue was discovered in the Linux kernel before     5.11.8. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a     ptr_limit.(CVE-2020-27170)

  - An issue was discovered in the Linux kernel before     5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting     out-of-bounds speculation on pointer arithmetic,     leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from     kernel memory, aka CID-10d2bb2e6b1d.(CVE-2020-27171)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a     local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a     system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-35519)

  - An issue was discovered in the Linux kernel through     5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers     to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue     overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6.(CVE-2021-29264)

  - An issue was discovered in the Linux kernel before     5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel     memory because of a partially uninitialized data     structure, aka CID-50535249f624.(CVE-2021-29647)

  - An issue was discovered in the FUSE filesystem     implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls     make_bad_inode() in inappropriate situations, causing a     system crash. NOTE: the original fix for this     vulnerability was incomplete, and its incompleteness is     tracked as CVE-2021-28950.(CVE-2020-36322)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)

  - An issue was discovered in the Linux kernel before     5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)

  - The fix for XSA-365 includes initialization of pointers     such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went     too far and may under certain conditions also overwrite     pointers which are in need of cleaning up. The lack of     cleanup would result in leaking persistent grants. The     leak in turn would prevent fully cleaning up after a     respective guest has died, leaving around zombie     domains. All Linux versions having the fix for XSA-365     applied are vulnerable. XSA-365 was classified to     affect versions back to at least 3.11.(CVE-2021-28688)

  - A race condition in Linux kernel SCTP sockets     (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network     service or an unprivileged process. If     sctp_destroy_sock is called without     sock_net(sk)->sctp.addr_wq_lock then an element is     removed from the auto_asconf_splist list without any     proper locking. This can be exploited by an attacker     with network service privileges to escalate to root or     from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies     creation of some SCTP socket.(CVE-2021-23133)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1975-1 advisory.

  - An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in security/apparmor/audit.c. (CVE-2019-18814)

  - In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function     (related to include/trace/events/lock.h). (CVE-2019-19769)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
    (CVE-2020-27673)

  - A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-35519)

  - An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a     set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
    (CVE-2020-36310)

  - An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering     many encrypted regions), aka CID-7be74942f184. (CVE-2020-36311)

  - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in     the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local     user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system availability. (CVE-2021-20268)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went too far and may under certain conditions also     overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking     persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,     leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device     driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This     has been fixed in 5.12-rc4.) (CVE-2021-28952)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6. (CVE-2021-29264)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel memory because of a partially uninitialized data     structure, aka CID-50535249f624. (CVE-2021-29647)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly     update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and     therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const     subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do     explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a     verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1977-1 advisory.

  - An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in security/apparmor/audit.c. (CVE-2019-18814)

  - In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function     (related to include/trace/events/lock.h). (CVE-2019-19769)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
    (CVE-2020-27673)

  - A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-35519)

  - An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a     set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
    (CVE-2020-36310)

  - An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering     many encrypted regions), aka CID-7be74942f184. (CVE-2020-36311)

  - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in     the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local     user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system availability. (CVE-2021-20268)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went too far and may under certain conditions also     overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking     persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,     leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device     driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This     has been fixed in 5.12-rc4.) (CVE-2021-28952)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6. (CVE-2021-29264)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel memory because of a partially uninitialized data     structure, aka CID-50535249f624. (CVE-2021-29647)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly     update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and     therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const     subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do     explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a     verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).

CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).

CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).

CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).

CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).

CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).

CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).

CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).

CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).

CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).

CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).

CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).

CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).

CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up.
The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).

CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).

CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).

CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).

CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).

CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).

CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).

CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).

CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).

CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.
This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).

CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).

CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).

CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).

CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).

CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).

CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).

CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).

CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).

CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).

CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).

CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).

CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).

CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).

CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).

CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.
This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).

CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).

CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).

CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).

CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

CVE-2020-1749: Fixed a flaw inside of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).

CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).

CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).

CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).

CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).

CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).

CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).

CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).

CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.
This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).

CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).

CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).

CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

CVE-2020-36322: Fixed an issue in the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211 bnc#1184952).

CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022 bnc#1183069 ).

CVE-2020-1749: Fixed a flaw with some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Linux Leap 15.2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2021-3483: Fixed a use-after-free in nosy.c     (bsc#1184393).

  - CVE-2021-30002: Fixed a memory leak for large arguments     in video_usercopy (bsc#1184120).

  - CVE-2021-29154: Fixed incorrect computation of branch     displacements, allowing arbitrary code execution     (bsc#1184391).

  - CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due     to a retry loop continually was finding the same bad     inode (bsc#1184194).

  - CVE-2020-36312: Fixed a memory leak upon a kmalloc     failure (bsc#1184509 ).

  - CVE-2020-36311: Fixed a denial of service (soft lockup)     by triggering destruction of a large SEV VM     (bsc#1184511).

  - CVE-2020-36310: Fixed infinite loop for certain nested     page faults (bsc#1184512).

  - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672,     CVE-2020-25673: Fixed multiple bugs in NFC subsytem     (bsc#1178181).

  - CVE-2020-36322: Fixed an issue was discovered in FUSE     filesystem implementation which could have caused a     system crash (bsc#1184211).

The following non-security bugs were fixed :

  - ALSA: aloop: Fix initialization of controls (git-fixes).

  - ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire     E1 (git-fixes).

  - appletalk: Fix skb allocation size in loopback case     (git-fixes).

  - ASoC: cygnus: fix for_each_child.cocci warnings     (git-fixes).

  - ASoC: fsl_esai: Fix TDM slot setup for I2S mode     (git-fixes).

  - ASoC: intel: atom: Remove 44100 sample-rate from the     media and deep-buffer DAI descriptions (git-fixes).

  - ASoC: intel: atom: Stop advertising non working S24LE     support (git-fixes).

  - ASoC: max98373: Added 30ms turn on/off time delay     (git-fixes).

  - ASoC: sunxi: sun4i-codec: fill ASoC card owner     (git-fixes).

  - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled     for some chips (git-fixes).

  - ath10k: hold RCU lock when calling     ieee80211_find_sta_by_ifaddr() (git-fixes).

  - atl1c: fix error return code in atl1c_probe()     (git-fixes).

  - atl1e: fix error return code in atl1e_probe()     (git-fixes).

  - batman-adv: initialize 'struct     batadv_tvlv_tt_vlan_data'->reserved field (git-fixes).

  - bpf: Fix verifier jsgt branch analysis on max bound     (bsc#1155518).

  - bpf: Remove MTU check in __bpf_skb_max_len     (bsc#1155518).

  - bpf, sockmap: Fix sk->prot unhash op reset     (bsc#1155518).

  - brcmfmac: clear EAP/association status bits on linkdown     events (git-fixes).

  - bus: ti-sysc: Fix warning on unbind if reset is not     deasserted (git-fixes).

  - cifs: change noisy error message to FYI (bsc#1181507).

  - cifs_debug: use %pd instead of messing with ->d_name     (bsc#1181507).

  - cifs: do not send close in compound create+close     requests (bsc#1181507).

  - cifs: New optype for session operations (bsc#1181507).

  - cifs: print MIDs in decimal notation (bsc#1181507).

  - cifs: return proper error code in statfs(2)     (bsc#1181507).

  - cifs: Tracepoints and logs for tracing credit changes     (bsc#1181507).

  - clk: fix invalid usage of list cursor in register     (git-fixes).

  - clk: fix invalid usage of list cursor in unregister     (git-fixes).

  - clk: socfpga: fix iomem pointer cast on 64-bit     (git-fixes).

  - dm mpath: switch paths in dm_blk_ioctl() code path     (bsc#1167574, bsc#1175995, bsc#1184485).

  - drivers: video: fbcon: fix NULL dereference in     fbcon_cursor() (git-fixes).

  - drm/amdgpu: check alignment on CPU page for bo map     (git-fixes).

  - drm/amdgpu: fix offset calculation in     amdgpu_vm_bo_clear_mappings() (git-fixes).

  - drm/i915: Fix invalid access to ACPI _DSM objects     (bsc#1184074).

  - drm/msm/adreno: a5xx_power: Do not apply A540 lm_setup     to other GPUs (git-fixes).

  - drm/msm: Ratelimit invalid-fence message (git-fixes).

  - drm/msm: Set drvdata to NULL when msm_drm_init() fails     (git-fixes).

  - enetc: Fix reporting of h/w packet counters (git-fixes).

  - fix Patch-mainline:
    patches.suse/cifs_debug-use-pd-instead-of-messing-with-d
    _name.patch

  - fix patch metadata

  - fuse: fix bad inode (bsc#1184211).

  - fuse: fix live lock in fuse_iget() (bsc#1184211).

  - gianfar: Handle error code at MAC address change     (git-fixes).

  - i40e: Fix parameters in aq_get_phy_register()     (jsc#SLE-8025).

  - i40e: Fix sparse error: 'vsi->netdev' could be null     (jsc#SLE-8025).

  - ice: remove DCBNL_DEVRESET bit from PF state     (jsc#SLE-7926).

  - iommu/vt-d: Use device numa domain if RHSA is missing     (bsc#1184585).

  - kABI: powerpc/pmem: Include pmem prototypes (bsc#1113295     git-fixes).

  - libbpf: Fix INSTALL flag order (bsc#1155518).

  - libbpf: Only create rx and tx XDP rings when necessary     (bsc#1155518).

  - locking/mutex: Fix non debug version of     mutex_lock_io_nested() (git-fixes).

  - mac80211: choose first enabled channel for monitor     (git-fixes).

  - mac80211: fix TXQ AC confusion (git-fixes).

  - mISDN: fix crash in fritzpci (git-fixes).

  - net: atheros: switch from 'pci_' to 'dma_' API     (git-fixes).

  - net: b44: fix error return code in b44_init_one()     (git-fixes).

  - net: ethernet: ti: cpsw: fix error return code in     cpsw_probe() (git-fixes).

  - net: hns3: Remove the left over redundant check &     assignment (bsc#1154353).

  - net: lantiq: Wait for the GPHY firmware to be ready     (git-fixes).

  - net/mlx5: Fix PPLM register mapping (jsc#SLE-8464).

  - net: pasemi: fix error return code in pasemi_mac_open()     (git-fixes).

  - net: phy: broadcom: Only advertise EEE for supported     modes (git-fixes).

  - net: qualcomm: rmnet: Fix incorrect receive packet     handling during cleanup (git-fixes).

  - net: sched: disable TCQ_F_NOLOCK for pfifo_fast     (bsc#1183405)

  - net: wan/lmc: unregister device when no matching device     is found (git-fixes).

  - platform/x86: intel-hid: Support Lenovo ThinkPad X1     Tablet Gen 2 (git-fixes).

  - platform/x86: thinkpad_acpi: Allow the FnLock LED to     change state (git-fixes).

  - PM: runtime: Fix ordering in pm_runtime_get_suppliers()     (git-fixes).

  - post.sh: Return an error when module update fails     (bsc#1047233 bsc#1184388).

  - powerpc/64s: Fix instruction encoding for lis in     ppc_function_entry() (bsc#1065729).

  - powerpc/pmem: Include pmem prototypes (bsc#1113295     git-fixes).

  - powerpc/pseries/ras: Remove unused variable 'status'     (bsc#1065729).

  - powerpc/sstep: Check instruction validity against ISA     version before emulation (bsc#1156395).

  - powerpc/sstep: Fix darn emulation (bsc#1156395).

  - powerpc/sstep: Fix incorrect return from analyze_instr()     (bsc#1156395).

  - powerpc/sstep: Fix load-store and update emulation     (bsc#1156395).

  - qlcnic: fix error return code in     qlcnic_83xx_restart_hw() (git-fixes).

  - RAS/CEC: Correct ce_add_elem()'s returned values     (bsc#1152489).

  - regulator: bd9571mwv: Fix AVS and DVFS voltage range     (git-fixes).

  - rpm/check-for-config-changes: Also ignore AS_VERSION     added in 5.12.

  - rpm/kernel-binary.spec.in: Fix dependency of     kernel-*-devel package (bsc#1184514) The devel package     requires the kernel binary package itself for building     modules externally.

  - samples/bpf: Fix possible hang in xdpsock with multiple     threads (bsc#1155518).

  - scsi: ibmvfc: Fix invalid state machine BUG_ON()     (bsc#1184647 ltc#191231).

  - smb3: add dynamic trace point to trace when credits     obtained (bsc#1181507).

  - smb3: fix crediting for compounding when only one     request in flight (bsc#1181507).

  - soc/fsl: qbman: fix conflicting alignment attributes     (git-fixes).

  - staging: comedi: cb_pcidas64: fix request_irq() warn     (git-fixes).

  - staging: comedi: cb_pcidas: fix request_irq() warn     (git-fixes).

  - thermal/core: Add NULL pointer check before using     cooling device stats (git-fixes).

  - USB: cdc-acm: downgrade message to debug (git-fixes).

  - USB: cdc-acm: untangle a circular dependency between     callback and softint (git-fixes).

  - usbip: vhci_hcd fix shift out-of-bounds in     vhci_hub_control() (git-fixes).

  - USB: quirks: ignore remote wake-up on Fibocom L850-GL     LTE modem (git-fixes).

  - x86: Introduce TS_COMPAT_RESTART to fix     get_nr_restart_syscall() (bsc#1152489).

  - x86/ioapic: Ignore IRQ2 again (bsc#1152489).

  - x86/mem_encrypt: Correct physical address calculation in
    __set_clr_pte_enc() (bsc#1152489).

  - xen/events: fix setting irq affinity (bsc#1184583).

The SUSE Linux Enterprise 12 SP4 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).

CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).

CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).

CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).

CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).

CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).

CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).

CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).

CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).

CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).

CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).

CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).

CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).

CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up.
The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).

CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).

CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).

CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).

CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).

CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).

CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).

CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).

CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).

CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.
This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).

CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).

CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).

CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).

CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).

CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue within virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue within the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).

CVE-2020-36310: Fixed an issue within arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).

CVE-2021-28950: Fixed an issue within fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2020-36322: Fixed an issue within the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211, bnc#1184952).

CVE-2021-3444: Fixed incorrect mod32 BPF verifier truncation (bsc#1184170).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).

CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).

CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).

CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).

CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).

CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).

CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).

CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).

CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).

CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).

CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).

CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).

CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).

CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).

CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up.
The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).

CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).

CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).

CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).

CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).

CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).

CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).

CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).

CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).

CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened.
This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).

CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).

CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).

CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).

CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).

CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2020-36312: Fixed an issue within virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).

CVE-2021-29650: Fixed an issue within the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).

CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).

CVE-2020-36310: Fixed an issue within arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).

CVE-2021-28950: Fixed an issue within fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).

CVE-2020-36322: Fixed an issue within the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211, bnc#1184952).

CVE-2021-3444: Fixed incorrect mod32 BPF verifier truncation (bsc#1184170).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170).

CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485).

CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167).

CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168).

CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198).

CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ).

CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193).

CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).

CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ).

CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596).

CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022).

CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715).

CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717).

CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716).

CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696).

CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454).

CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775).

CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686).

CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ).

CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256).

CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393).

CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120).

CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194).

CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ).

CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511).

CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512).

CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181).

CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem implementation which could have caused a system crash (bsc#1184211).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170).

CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485).

CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ).

CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167).

CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168).

CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198).

CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ).

CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193).

CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).

CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ).

CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596).

CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022).

CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715).

CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717).

CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716).

CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696).

CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454).

CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775).

CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686).

CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ).

CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256).

CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181).

CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511).

CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391).

CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120).

CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393).

CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512).

CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ).

CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
155219	RHEL 8 : kernel (RHSA-2021:4356)	Nessus	Red Hat Local Security Checks	high
155172	RHEL 8 : kernel-rt (RHSA-2021:4140)	Nessus	Red Hat Local Security Checks	high
155145	CentOS 8 : kernel (CESA-2021:4356)	Nessus	CentOS Local Security Checks	high
155070	CentOS 8 : kernel-rt (CESA-2021:4140)	Nessus	CentOS Local Security Checks	high
152313	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2272)	Nessus	Huawei Local Security Checks	high
151756	openSUSE 15 Security Update : kernel (openSUSE-SU-2021:1977-1)	Nessus	SuSE Local Security Checks	critical
151730	openSUSE 15 Security Update : kernel (openSUSE-SU-2021:1975-1)	Nessus	SuSE Local Security Checks	critical
151562	EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-2183)	Nessus	Huawei Local Security Checks	high
151307	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)	Nessus	Huawei Local Security Checks	high
151238	EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-2051)	Nessus	Huawei Local Security Checks	high
151042	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2021-1983)	Nessus	Huawei Local Security Checks	high
150927	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1975-1)	Nessus	SuSE Local Security Checks	critical
150901	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1977-1)	Nessus	SuSE Local Security Checks	critical
149892	openSUSE Security Update : the Linux Kernel (openSUSE-2021-758)	Nessus	SuSE Local Security Checks	critical
149717	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1624-1)	Nessus	SuSE Local Security Checks	high
149716	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1623-1)	Nessus	SuSE Local Security Checks	high
149633	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1617-1)	Nessus	SuSE Local Security Checks	high
149605	openSUSE Security Update : the Linux Kernel (openSUSE-2021-579)	Nessus	SuSE Local Security Checks	high
149491	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1596-1)	Nessus	SuSE Local Security Checks	high
149487	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1595-1)	Nessus	SuSE Local Security Checks	high
149462	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1573-1)	Nessus	SuSE Local Security Checks	high
149456	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1572-1)	Nessus	SuSE Local Security Checks	high
148747	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1238-1)	Nessus	SuSE Local Security Checks	critical
148698	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1211-1)	Nessus	SuSE Local Security Checks	critical

CVE-2020-36312

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

critical

critical

high

high

high

high

critical

critical

critical

high

high

high

high

high

high

high

high

critical

critical