Detections
Analytics

Alibaba Cloud Linux 3 : 0075: cloud-kernel bugfix, enhancement and (ALINUX3-SA-2025:0075)

critical Nessus Plugin ID 237278

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2025:0075 advisory.

 Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

 CVE-2022-48635:
 In the Linux kernel, the following vulnerability has been resolved:
 fsdax: Fix infinite loop in dax_iomap_rw() I got an infinite loop and a WARNING report when executing a tail command in virtiofs.
 WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0 Modules linked in:
 CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7 Call Trace:
 <TASK> dax_iomap_rw+0xea/0x620 ? __this_cpu_preempt_check+0x13/0x20 fuse_dax_read_iter+0x47/0x80 fuse_file_read_iter+0xae/0xd0 new_sync_read+0xfe/0x180 ? 0xffffffff81000000 vfs_read+0x14d/0x1a0 ksys_read+0x6d/0xf0
 __x64_sys_read+0x1a/0x20 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The tail command will call read() with a count of 0. In this case, iomap_iter() will report this WARNING, and always return 1 which casuing the infinite loop in dax_iomap_rw().
 Fixing by checking count whether is 0 in dax_iomap_rw().

 CVE-2022-48639:
 In the Linux kernel, the following vulnerability has been resolved:
 net: sched: fix possible refcount leak in tc_new_tfilter() tfilter_put need to be called to put the refount got by tp->ops->get to avoid possible refcount leak when chain->tmplt_ops != NULL and chain->tmplt_ops != tp->ops.

 CVE-2022-48644:
 In the Linux kernel, the following vulnerability has been resolved:
 net/sched: taprio: avoid disabling offload when it was never enabled In an incredibly strange API design decision, qdisc->destroy() gets called even if qdisc->init() never succeeded, not exclusively since commit 87b60cfacf9f (net_sched: fix error recovery at qdisc creation), but apparently also earlier (in the case of qdisc_create_dflt()).
 The taprio qdisc does not fully acknowledge this when it attempts full offload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID in taprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGS parsed from netlink (in taprio_change(), tail called from taprio_init()).
 determines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).
 But looking at the implementation of FULL_OFFLOAD_IS_ENABLED() (a bitwise check of bit 1 in q->flags), it is invalid to call this macro on q->flags when it contains TAPRIO_FLAGS_INVALID, because that is set to U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true on

 CVE-2022-48651:
 In the Linux kernel, the following vulnerability has been resolved:
 ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:
 ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace:
 print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan]
 __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0
 __sys_sendto+0x18a/0x230
 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is:
 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use skb->head + skb->mac_header, out-of-bound access occurs.
 This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.

 CVE-2022-48675:
 In the Linux kernel, the following vulnerability has been resolved:
 IB/core: Fix a nested dead lock as part of ODP flow Fix a nested dead lock as part of ODP flow by using mmput_async().
 From the below call trace [1] can see that calling mmput() once we have the umem_odp->umem_mutex locked as required by ib_umem_odp_map_dma_and_lock() might trigger in the same task the exit_mmap()->__mmu_notifier_release()->mlx5_ib_invalidate_range() which may dead lock when trying to lock the same mutex.
 Moving to use mmput_async() will solve the problem as the above exit_mmap() flow will be called in other task and will be executed once the lock will be available.

 CVE-2022-48828:
 In the Linux kernel, the following vulnerability has been resolved:
 NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle.
 Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr().

 CVE-2022-48946:
 In the Linux kernel, the following vulnerability has been resolved:
 udf: Fix preallocation discarding at indirect extent boundary When preallocation extent is the first one in the extent block, the code would corrupt extent tree header instead. Fix the problem and use udf_delete_aext() for deleting extent to avoid some code duplication.

 CVE-2022-48981:
 In the Linux kernel, the following vulnerability has been resolved:
 drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free.

 CVE-2022-48993:
 [REJECTED CVE] A memory initialization vulnerability in the Linux Kernel's fbcon module allows uninitialized memory in the save variable to be copied during operations in fbcon_prepare_logo(). This can result in unpredictable behavior, including kernel crashes or memory corruption, when handling frame buffer devices.

 CVE-2022-49014:
 In the Linux kernel, the following vulnerability has been resolved:
 net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below:
 ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline]

 CVE-2022-49046:
 In the Linux kernel, the following vulnerability has been resolved:
 i2c: dev: check return value when calling dev_set_name() If dev_set_name() fails, the dev_name() is null, check the return value of dev_set_name() to avoid the null-ptr-deref.

 CVE-2022-49190:
 In the Linux kernel, the following vulnerability has been resolved:
 kernel/resource: fix kfree() of bootmem memory again Since commit ebff7d8f270d (mem hotunplug: fix kfree() of bootmem memory), we could get a resource allocated during boot via alloc_resource(). And it's required to release the resource using free_resource(). Howerver, many people use kfree directly which will result in kernel BUG. In order to fix this without fixing every call site, just leak a couple of bytes in such corner case.

 CVE-2022-49219:
 In the Linux kernel, the following vulnerability has been resolved:
 vfio/pci: fix memory leak during D3hot to D0 transition If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition.
 For saving the PCI state locally, pci_store_saved_state() is being used and the pci_load_and_free_saved_state() will free the allocated memory.
 But for reset related IOCTLs, vfio driver calls PCI reset-related API's which will internally change the PCI power state back to D0. So, when the guest resumes, then it will get the current state as D0 and it will skip the call to vfio_pci_set_power_state() for changing the power state to D0 explicitly. In this case, the memory pointed by 'pm_save' will never be freed. In a malicious sequence, the state changing to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be run in a loop and it can cause an OOM situation.
 This patch frees the earlier allocated memory first before overwriting 'pm_save' to prevent the mentioned memory leak.

 CVE-2022-49398:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback The list_for_each_entry_safe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelled_list using dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the

 CVE-2022-49443:
 In the Linux kernel, the following vulnerability has been resolved:
 list: fix a data-race around ep->rdllist ep_poll() first calls ep_events_available() with no lock held and checks if ep->rdllist is empty by list_empty_careful(), which reads rdllist->prev. Thus all accesses to it need some protection to avoid store/load-tearing.
 Note INIT_LIST_HEAD_RCU() already has the annotation for both prev and next.
 Commit bf3b9f6372c4 (epoll: Add busy poll support to epoll with socket fds.) added the first lockless ep_events_available(), and commit c5a282e9635e (fs/epoll: reduce the scope of wq lock in epoll_wait()) made some ep_events_available() calls lockless and added single call under a lock, finally commit e59d3c64cba6 (epoll: eliminate unnecessary lock for zero timeout) made the last ep_events_available() lockless.
 BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:
 INIT_LIST_HEAD include/linux/list.h:38 [inline] list_splice_init include/linux/list.h:492 [inline] ep_start_scan fs/eventpoll.c:622 [inline] ep_send_events fs/eventpoll.c:1656 [inline] ep_poll fs/eventpoll.c:1806 [inline] do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline]
 __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
 __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:
 list_empty_careful include/linux/list.h:329 [inline] ep_events_available fs/eventpoll.c:381 [inline] ep_poll fs/eventpoll.c:1797 [inline] do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline]
 __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
 __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0xffff88810480c7d0 -> 0xffff888103c15098 Reported by Kernel Concurrency Sanitizer on:
 CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

 CVE-2022-49444:
 In the Linux kernel, the following vulnerability has been resolved:
 module: fix [e_shstrndx].sh_size=0 OOB access It is trivial to craft a module to trigger OOB access in this line:
 if (info->secstrings[strhdr->sh_size - 1] != '\0') { BUG: unable to handle page fault for address: ffffc90000aa0fff PGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:load_module+0x19b/0x2391 [rebased patch onto modules-next]

 CVE-2022-49562:
 In the Linux kernel, the following vulnerability has been resolved:
 KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits Use the recently introduced __try_cmpxchg_user() to update guest PTE A/D bits instead of mapping the PTE into kernel address space. The VM_PFNMAP path is broken as it assumes that vm_pgoff is the base pfn of the mapped VMA range, which is conceptually wrong as vm_pgoff is the offset relative to the file and has nothing to do with the pfn. The horrific hack worked for the original use case (backing guest memory with /dev/mem), but leads to accessing random pfns for pretty much any other VM_PFNMAP case.

 CVE-2022-49711:
 In the Linux kernel, the following vulnerability has been resolved:
 bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io triggers KASAN use-after-free. To avoid the use-after-free, keep the reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to fsl_destroy_mc_io().
 This patch needs rework to apply to kernels older than v5.15.

 CVE-2023-52448:
 In the Linux kernel, the following vulnerability has been resolved:
 gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that.

 CVE-2023-52463:
 In the Linux kernel, the following vulnerability has been resolved:
 efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a

 CVE-2023-52464:
 In the Linux kernel, the following vulnerability has been resolved:
 EDAC/thunderx: Fix possible out-of-bounds string access Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat():
 drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
 drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...
 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
 ...
 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
 ...
 Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer.
 Change it to strlcat().
 [ bp: Trim compiler output, fixup commit message. ]

 CVE-2023-52477:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: hub: Guard against accesses to uninitialized BOS descriptors Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash:
 BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace:
 hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487

 CVE-2023-52486:
 In the Linux kernel, the following vulnerability has been resolved:
 drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top.
 But we forget to reset the fb pointer back to NULL, and so if we then get another error during the retry, before the fb lookup, we proceed the unref the same fb again without having gotten another reference.
 The end result is that the fb will (eventually) end up being freed while it's still in use.
 Reset fb to NULL once we've unreffed it to avoid doing it again until we've done another fb lookup.
 This turned out to be pretty easy to hit on a DG2 when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I saw that drm_closefb() simply got stuck in a busy loop while walking the framebuffer list. Fortunately I was able to convince it to oops instead, and from there it was easier to track down the culprit.

 CVE-2023-52503:
 In the Linux kernel, the following vulnerability has been resolved:
 tee: amdtee: fix use-after-free vulnerability in amdtee_close_session There is a potential race condition in amdtee_close_session that may cause use-after-free in amdtee_open_session. For instance, if a session has refcount == 1, and one thread tries to free this session via:
 kref_put(&sess->refcount, destroy_session);
 the reference count will get decremented, and the next step would be to call destroy_session(). However, if in another thread, amdtee_open_session() is called before destroy_session() has completed execution, alloc_session() may return 'sess' that will be freed up later in destroy_session() leading to use-after-free in amdtee_open_session.
 To fix this issue, treat decrement of sess->refcount and removal of 'sess' from session list in destroy_session() as a critical section, so that it is executed atomically.

 CVE-2023-52618:
 In the Linux kernel, the following vulnerability has been resolved:
 block/rnbd-srv: Check for unlikely string overflow Since dev_search_path can technically be as large as PATH_MAX, there was a risk of truncation when copying it and a second string into full_path since it was also PATH_MAX sized. The W=1 builds were reporting this warning:
 drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':
 drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=] 616 | snprintf(full_path, PATH_MAX, %s/%s, | ^~ In function 'rnbd_srv_get_full_path', inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd- srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096 616 | snprintf(full_path, PATH_MAX, %s/%s, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 CVE-2023-52756:
 [REJECTED CVE] A double shift vulnerability was identified in the Linux kernel's pwm subsystem. The issue involves passing a shifted value instead of a bit number to set/test_bit() functions, resulting in a double shift (e.g., BIT(BIT(1))). While this doesn't cause problems for values 0 or 1, values of 5 or higher could lead to a buffer overflow, potentially allowing attackers to cause a denial of service.

 CVE-2023-52759:
 [REJECTED CVE] In the Linux kernel, the following vulnerability has been resolved:
 gfs2: ignore negated quota changes The Linux kernel CVE team has assigned CVE-2023-52759 to this issue.

 CVE-2023-52789:
 In the Linux kernel, the following vulnerability has been resolved:
 tty: vcc: Add check for kstrdup() in vcc_probe() Add check for the return value of kstrdup() and return the error, if it fails in order to avoid NULL pointer dereference.

 CVE-2023-52836:
 In the Linux kernel, the following vulnerability has been resolved:
 locking/ww_mutex/test: Fix potential workqueue corruption In some cases running with the test-ww_mutex code, I was seeing odd behavior where sometimes it seemed flush_workqueue was returning before all the work threads were finished.
 Often this would cause strange crashes as the mutexes would be freed while they were being used.
 Looking at the code, there is a lifetime problem as the controlling thread that spawns the work allocates the struct stress structures that are passed to the workqueue threads. Then when the workqueue threads are finished, they free the stress struct that was passed to them.
 Unfortunately the workqueue work_struct node is in the stress struct. Which means the work_struct is freed before the work thread returns and while flush_workqueue is waiting.
 It seems like a better idea to have the controlling thread both allocate and free the stress structures, so that we can be sure we don't corrupt the workqueue by freeing the structure prematurely.
 So this patch reworks the test to do so, and with this change I no longer see the early flush_workqueue returns.

 CVE-2023-52880:
 In the Linux kernel, the following vulnerability has been resolved:
 tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway.
 Require initial namespace CAP_NET_ADMIN to do that.

 CVE-2023-52898:
 In the Linux kernel, the following vulnerability has been resolved:
 xhci: Fix null pointer dereference when host dies Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race and cause null pointer dereference when host suddenly dies.
 Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id]

 CVE-2023-52917:
 [REJECTED CVE] In the Linux kernel, the following vulnerability has been resolved:
 ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() The debugfs_create_dir() function returns error pointers. It never returns NULL. So use IS_ERR() to check it.

 CVE-2024-26591:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf:
 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have:
 - prog->aux->dst_trampoline == NULL
 - tgt_prog == NULL (because we did not provide target_fd to link_create)
 - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)
 - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace:
 <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560
 __sys_bpf+0x1cf4/0x2de0

 CVE-2024-26598:
 In the Linux kernel, the following vulnerability has been resolved:
 KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache

 CVE-2024-26629:
 In the Linux kernel, the following vulnerability has been resolved:
 nfsd: fix RELEASE_LOCKOWNER

 CVE-2024-26641:
 In the Linux kernel, the following vulnerability has been resolved:
 ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1].

 CVE-2024-26642:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this.

 CVE-2024-26718:
 In the Linux kernel, the following vulnerability has been resolved:
 dm-crypt, dm-verity: disable tasklets Tasklets have an inherent problem with memory corruption. The function tasklet_action_common calls tasklet_trylock, then it calls the tasklet callback and then it calls tasklet_unlock. If the tasklet callback frees the structure that contains the tasklet or if it calls some code that may free it, tasklet_unlock will write into free memory.
 The commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but it is not a sufficient fix and the data corruption can still happen [1].

 CVE-2024-26749:
 In the Linux kernel, the following vulnerability has been resolved:

 CVE-2024-26778:
 In the Linux kernel, the following vulnerability has been resolved:
 fbdev: savage: Error out if pixclock equals zero The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error.
 Although pixclock is checked in savagefb_decode_var(), but it is not checked properly in savagefb_probe(). Fix this by checking whether pixclock is zero in the function savagefb_check_var() before info->var.pixclock is used as the divisor.
 This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8.

 CVE-2024-26808:
 In the Linux kernel, the following vulnerability has been resolved:

 CVE-2024-26810:
 In the Linux kernel, the following vulnerability has been resolved:

 CVE-2024-26812:
 In the Linux kernel, the following vulnerability has been resolved:
 vfio/pci: Create persistent INTx handler

 CVE-2024-26934:
 In the Linux kernel, the following vulnerability has been resolved:
 USB: core: Fix deadlock in usb_deauthorize_interface()

 CVE-2024-26970:
 In the Linux kernel, the following vulnerability has been resolved:
 clk: qcom: gcc-ipq6018: fix terminating of frequency table arrays

 CVE-2024-26977:
 In the Linux kernel, the following vulnerability has been resolved:
 pci_iounmap(): Fix MMIO mapping leak

 CVE-2024-26988:
 In the Linux kernel, the following vulnerability has been resolved:
 init/main.c: Fix potential static_command_line memory overflow

 CVE-2024-27020:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()

 CVE-2024-27389:
 In the Linux kernel, the following vulnerability has been resolved:
 pstore: inode: Only d_invalidate() is needed

 CVE-2024-27437:
 In the Linux kernel, the following vulnerability has been resolved:
 vfio/pci: Disable auto-enable of exclusive INTx IRQ

 CVE-2024-35791:
 In the Linux kernel, the following vulnerability has been resolved:
 KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()

 CVE-2024-35947:
 In the Linux kernel, the following vulnerability has been resolved:
 dyndbg: fix old BUG_ON in >control parser

 CVE-2024-36476:
 In the Linux kernel, the following vulnerability has been resolved:
 RDMA/rtrs: Ensure 'ib_sge list' is accessible

 CVE-2024-36489:
 In the Linux kernel, the following vulnerability has been resolved:
 tls: fix missing memory barrier in tls_init

 CVE-2024-36953:
 In the Linux kernel, the following vulnerability has been resolved:
 KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()

 CVE-2024-37356:
 In the Linux kernel, the following vulnerability has been resolved:
 tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

 CVE-2024-38577:
 In the Linux kernel, the following vulnerability has been resolved:
 rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow

 CVE-2024-38601:
 In the Linux kernel, the following vulnerability has been resolved:
 ring-buffer: Fix a race between readers and resize checks

 CVE-2024-38605:
 In the Linux kernel, the following vulnerability has been resolved:
 ALSA: core: Fix NULL module pointer assignment at card init

 CVE-2024-39468:
 In the Linux kernel, the following vulnerability has been resolved:
 smb: client: fix deadlock in smb2_find_smb_tcon() Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock.

 CVE-2024-39480:
 In the Linux kernel, the following vulnerability has been resolved:
 kdb: Fix buffer overflow during tab-complete

 CVE-2024-41004:
 In the Linux kernel, the following vulnerability has been resolved:
 tracing: Build event generation tests only as modules

 CVE-2024-41023:
 In the Linux kernel, the following vulnerability has been resolved:
 sched/deadline: Fix task_struct reference leak

 CVE-2024-41045:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: Defer work in bpf_timer_cancel_and_free

 CVE-2024-42084:
 In the Linux kernel, the following vulnerability has been resolved:
 ftruncate: pass a signed offset

 CVE-2024-42143:
 No description is available for this CVE.

 CVE-2024-42161:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD

 CVE-2024-42239:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: Fail bpf_timer_cancel when callback is being cancelled

 CVE-2024-42246:
 In the Linux kernel, the following vulnerability has been resolved:
 net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

 CVE-2024-42283:
 In the Linux kernel, the following vulnerability has been resolved:
 net: nexthop: Initialize all fields in dumped nexthops

 CVE-2024-42312:
 In the Linux kernel, the following vulnerability has been resolved:
 sysctl: always initialize i_uid/i_gid

 CVE-2024-43098:
 In the Linux kernel, the following vulnerability has been resolved:
 i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock A deadlock may happen since the i3c_master_register() acquires

 CVE-2024-43817:
 In the Linux kernel, the following vulnerability has been resolved:
 net: missing check virtio Two missing check in virtio_net_hdr_to_skb() allowed syzbot

 CVE-2024-43846:
 In the Linux kernel, the following vulnerability has been resolved:
 lib: objagg: Fix general protection fault

 CVE-2024-43883:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: vhci-hcd: Do not drop references before new references are gained

 CVE-2024-43889:
 In the Linux kernel, the following vulnerability has been resolved:
 padata: Fix possible divide-by-0 panic in padata_mt_helper()

 CVE-2024-43890:
 In the Linux kernel, the following vulnerability has been resolved:
 tracing: Fix overflow in get_free_elt()

 CVE-2024-43892:
 In the Linux kernel, the following vulnerability has been resolved:
 memcg: protect concurrent access to mem_cgroup_idr

 CVE-2024-43893:
 In the Linux kernel, the following vulnerability has been resolved:
 serial: core: check uartclk for zero to avoid divide by zero

 CVE-2024-43894:
 In the Linux kernel, the following vulnerability has been resolved:
 drm/client: fix null pointer dereference in drm_client_modeset_probe In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is assigned to modeset->mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.

 CVE-2024-43914:
 In the Linux kernel, the following vulnerability has been resolved:
 md/raid5: avoid BUG_ON() while continue reshape after reassembling

 CVE-2024-44944:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: ctnetlink: use helper function to calculate expect ID Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace.

 CVE-2024-44989:
 In the Linux kernel, the following vulnerability has been resolved:
 bonding: fix xfrm real_dev null pointer dereference

 CVE-2024-44990:
 In the Linux kernel, the following vulnerability has been resolved:
 bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer.

 CVE-2024-45006:
 In the Linux kernel, the following vulnerability has been resolved:
 xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration

 CVE-2024-46674:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: dwc3: st: fix probed platform device ref count on probe error path

 CVE-2024-46675:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: dwc3: core: Prevent USB core invalid event buffer address access

 CVE-2024-46707:
 In the Linux kernel, the following vulnerability has been resolved:
 KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3

 CVE-2024-46719:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: typec: ucsi: Fix null pointer dereference in trace

 CVE-2024-46735:
 In the Linux kernel, the following vulnerability has been resolved:
 ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()

 CVE-2024-46743:
 In the Linux kernel, the following vulnerability has been resolved:
 of/irq: Prevent device address out-of-bounds read in interrupt map walk

 CVE-2024-46750:
 In the Linux kernel, the following vulnerability has been resolved:
 PCI: Add missing bridge lock to pci_bus_lock()

 CVE-2024-46763:
 In the Linux kernel, the following vulnerability has been resolved:
 fou: Fix null-ptr-deref in GRO.

 CVE-2024-46782:
 In the Linux kernel, the following vulnerability has been resolved:
 ila: call nf_unregister_net_hooks() sooner

 CVE-2024-46787:
 In the Linux kernel, the following vulnerability has been resolved:
 userfaultfd: fix checks for huge PMDs

 CVE-2024-46829:
 In the Linux kernel, the following vulnerability has been resolved:
 rtmutex: Drop rt_mutex::wait_lock before scheduling

 CVE-2024-47667:
 In the Linux kernel, the following vulnerability has been resolved:
 PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)

 CVE-2024-47668:
 In the Linux kernel, the following vulnerability has been resolved:
 lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

 CVE-2024-47671:
 In the Linux kernel, the following vulnerability has been resolved:
 USB: usbtmc: prevent kernel-usb-infoleak The syzbot reported a kernel-usb-infoleak in usbtmc_write, we need to clear the structure before filling fields.

 CVE-2024-47679:
 In the Linux kernel, the following vulnerability has been resolved:
 vfs: fix race between evice_inodes() and find_inode()&iput()

 CVE-2024-47685:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

 CVE-2024-47692:
 In the Linux kernel, the following vulnerability has been resolved:
 nfsd: return -EINVAL when namelen is 0

 CVE-2024-47695:
 In the Linux kernel, the following vulnerability has been resolved:
 RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

 CVE-2024-47705:
 In the Linux kernel, the following vulnerability has been resolved:
 block: fix potential invalid pointer dereference in blk_add_partition

 CVE-2024-47706:
 In the Linux kernel, the following vulnerability has been resolved:
 block, bfq: fix possible UAF for bfqq->bic with merge chain

 CVE-2024-47707:
 In the Linux kernel, the following vulnerability has been resolved:
 ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

 CVE-2024-47736:
 In the Linux kernel, the following vulnerability has been resolved:
 erofs: handle overlapped pclusters out of crafted images properly

 CVE-2024-47737:
 In the Linux kernel, the following vulnerability has been resolved:
 nfsd: call cache_put if xdr_reserve_space returns NULL

 CVE-2024-47739:
 In the Linux kernel, the following vulnerability has been resolved:
 padata: use integer wrap around to prevent deadlock on seq_nr overflow

 CVE-2024-47742:
 In the Linux kernel, the following vulnerability has been resolved:
 firmware_loader: Block path traversal

 CVE-2024-47755:
 [REJECTED CVE] A memory leak vulnerability has been identified in the Linux Kernel's scan_labels() function. This issue occurs when label scanning fails, causing the function to fall back to creating a default seed namespace for userspace configuration. This fallback mechanism inadvertently leaks memory.

 CVE-2024-48881:
 In the Linux kernel, the following vulnerability has been resolved:
 bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again

 CVE-2024-49569:
 In the Linux kernel, the following vulnerability has been resolved:
 nvme-rdma: unquiesce admin_q before destroy it

 CVE-2024-49851:
 In the Linux kernel, the following vulnerability has been resolved:
 tpm: Clean up TPM space after command failure

 CVE-2024-49858:
 In the Linux kernel, the following vulnerability has been resolved:
 efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption

 CVE-2024-49878:
 In the Linux kernel, the following vulnerability has been resolved:
 resource: fix region_intersects() vs add_memory_driver_managed()

 CVE-2024-49924:
 In the Linux kernel, the following vulnerability has been resolved:
 fbdev: pxafb: Fix possible use after free in pxafb_task()

 CVE-2024-49933:
 In the Linux kernel, the following vulnerability has been resolved:
 blk_iocost: fix more out of bound shifts

 CVE-2024-49948:
 In the Linux kernel, the following vulnerability has been resolved:
 net: add more sanity checks to qdisc_pkt_len_init()

 CVE-2024-49949:
 In the Linux kernel, the following vulnerability has been resolved:
 net: avoid potential underflow in qdisc_pkt_len_init() with UFO

 CVE-2024-49952:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: nf_tables: prevent nf_skb_duplicated corruption

 CVE-2024-49954:
 In the Linux kernel, the following vulnerability has been resolved:
 static_call: Replace pointless WARN_ON() in static_call_module_notify()

 CVE-2024-49963:
 In the Linux kernel, the following vulnerability has been resolved:
 mailbox: bcm2835: Fix timeout during suspend mode

 CVE-2024-49975:
 In the Linux kernel, the following vulnerability has been resolved:
 uprobes: fix kernel info leak via [uprobes] vma

 CVE-2024-49978:
 In the Linux kernel, the following vulnerability has been resolved:
 gso: fix udp gso fraglist segmentation after pull from frag_list

 CVE-2024-50002:
 In the Linux kernel, the following vulnerability has been resolved:
 static_call: Handle module init failure correctly in static_call_del_module()

 CVE-2024-50036:
 In the Linux kernel, the following vulnerability has been resolved:
 net: do not delay dst_entries_add() in dst_release()

 CVE-2024-50045:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: br_netfilter: fix panic with metadata_dst skb

 CVE-2024-50046:
 In the Linux kernel, the following vulnerability has been resolved:
 NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()

 CVE-2024-50059:
 In the Linux kernel, the following vulnerability has been resolved:
 ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

 CVE-2024-50082:
 In the Linux kernel, the following vulnerability has been resolved:
 blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

 CVE-2024-50083:
 In the Linux kernel, the following vulnerability has been resolved:
 tcp: fix mptcp DSS corruption due to large pmtu xmit

 CVE-2024-50115:
 In the Linux kernel, the following vulnerability has been resolved:
 KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

 CVE-2024-50131:
 In the Linux kernel, the following vulnerability has been resolved:
 tracing: Consider the NULL character when validating the event length

 CVE-2024-50150:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: typec: altmode should keep reference to parent

 CVE-2024-50151:
 In the Linux kernel, the following vulnerability has been resolved:
 smb: client: fix OOBs when building SMB2_IOCTL request

 CVE-2024-50153:
 In the Linux kernel, the following vulnerability has been resolved:
 scsi: target: core: Fix null-ptr-deref in target_alloc_device()

 CVE-2024-50179:
 In the Linux kernel, the following vulnerability has been resolved:
 ceph: remove the incorrect Fw reference check when dirtying pages

 CVE-2024-50180:
 In the Linux kernel, the following vulnerability has been resolved:
 fbdev: sisfb: Fix strbuf array overflow

 CVE-2024-50181:
 [REJECTED CVE] In the Linux kernel, the following vulnerability has been resolved:
 clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D

 CVE-2024-50251:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

 CVE-2024-50256:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

 CVE-2024-50258:
 In the Linux kernel, the following vulnerability has been resolved:
 net: fix crash when config small gso_max_size/gso_ipv4_max_size

 CVE-2024-50264:
 In the Linux kernel, the following vulnerability has been resolved:
 vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans issue is resolved by initializing vsk->trans to NULL.

 CVE-2024-50267:
 In the Linux kernel, the following vulnerability has been resolved:
 USB: serial: io_edgeport: fix use after free in debug printk

 CVE-2024-50269:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: musb: sunxi: Fix accessing an released usb phy

 CVE-2024-50301:
 In the Linux kernel, the following vulnerability has been resolved:
 security/keys: fix slab-out-of-bounds in key_task_permission

 CVE-2024-50304:
 In the Linux kernel, the following vulnerability has been resolved:
 ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

 CVE-2024-53054:
 [REJECTED CVE] A vulnerability was identified in the Linux kernels cgroup BPF subsystem, where excessive cgroup_bpf_release work items could saturate the system workqueue (system_wq), leading to a deadlock. When a large number of cpuset cgroups are deleted, system_wq fills up, preventing critical tasks like CPU hotplug operations and watchdog reconfiguration from executing. This results in multiple blocked kernel tasks, ultimately causing a system hang. An attacker with the ability to create and delete numerous cpuset cgroups could exploit this by triggering excessive asynchronous deletions, forcing the system into an unresponsive state.

 CVE-2024-53066:
 In the Linux kernel, the following vulnerability has been resolved:
 nfs: Fix KMSAN warning in decode_getfattr_attrs()

 CVE-2024-53068:
 In the Linux kernel, the following vulnerability has been resolved:
 firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()

 CVE-2024-53103:
 In the Linux kernel, the following vulnerability has been resolved:
 hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer When hvs is released, there is a possibility that vsk->trans may not be initialized to NULL, which could lead to a dangling pointer.
 This issue is resolved by initializing vsk->trans to NULL.

 CVE-2024-53104:
 In the Linux kernel, the following vulnerability has been resolved:
 media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.

 CVE-2024-53119:
 In the Linux kernel, the following vulnerability has been resolved:
 virtio/vsock: Fix accept_queue memory leak

 CVE-2024-53122:
 In the Linux kernel, the following vulnerability has been resolved:
 mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

 CVE-2024-53124:
 In the Linux kernel, the following vulnerability has been resolved:
 net: fix data-races around sk->sk_forward_alloc

 CVE-2024-53125:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: sync_linked_regs() must preserve subreg_def

 CVE-2024-53140:
 In the Linux kernel, the following vulnerability has been resolved:
 netlink: terminate outstanding dump on socket close

 CVE-2024-53141:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: ipset: add missing range check in bitmap_ip_uadt

 CVE-2024-53146:
 In the Linux kernel, the following vulnerability has been resolved:
 NFSD: Prevent a potential integer overflow

 CVE-2024-53157:
 In the Linux kernel, the following vulnerability has been resolved:
 firmware: arm_scpi: Check the DVFS OPP count returned by the firmware

 CVE-2024-53161:
 In the Linux kernel, the following vulnerability has been resolved:
 EDAC/bluefield: Fix potential integer overflow

 CVE-2024-53172:
 In the Linux kernel, the following vulnerability has been resolved:
 ubi: fastmap: Fix duplicate slab cache names while attaching

 CVE-2024-53174:
 In the Linux kernel, the following vulnerability has been resolved:
 SUNRPC: make sure cache entry active before cache_show

 CVE-2024-53194:
 In the Linux kernel, the following vulnerability has been resolved:
 PCI: Fix use-after-free of slot->bus on hot remove

 CVE-2024-53214:
 In the Linux kernel, the following vulnerability has been resolved:
 vfio/pci: Properly hide first-in-list PCIe extended capability

 CVE-2024-53234:
 In the Linux kernel, the following vulnerability has been resolved:
 erofs: handle NONHEAD !delta[1] lclusters gracefully

 CVE-2024-56558:
 In the Linux kernel, the following vulnerability has been resolved:
 nfsd: make sure exp active before svc_export_show

 CVE-2024-56569:
 In the Linux kernel, the following vulnerability has been resolved:
 ftrace: Fix regression with module command in stack_trace_filter

 CVE-2024-56570:
 In the Linux kernel, the following vulnerability has been resolved:
 ovl: Filter invalid inodes with missing lookup function

 CVE-2024-56583:
 In the Linux kernel, the following vulnerability has been resolved:
 sched/deadline: Fix warning in migrate_enable for boosted tasks

 CVE-2024-56600:
 In the Linux kernel, the following vulnerability has been resolved:
 net: inet6: do not leave a dangling sk pointer in inet6_create()

 CVE-2024-56602:
 In the Linux kernel, the following vulnerability has been resolved:
 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

 CVE-2024-56605:
 In the Linux kernel, the following vulnerability has been resolved:
 Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

 CVE-2024-56606:
 In the Linux kernel, the following vulnerability has been resolved:
 af_packet: avoid erroring out after sock_init_data() in packet_create()

 CVE-2024-56610:
 In the Linux kernel, the following vulnerability has been resolved:
 kcsan: Turn report_filterlist_lock into a raw_spinlock

 CVE-2024-56614:
 In the Linux kernel, the following vulnerability has been resolved:
 xsk: fix OOB map writes when deleting elements

 CVE-2024-56636:
 In the Linux kernel, the following vulnerability has been resolved:
 geneve: do not assume mac header is set in geneve_xmit_skb()

 CVE-2024-56637:
 In the Linux kernel, the following vulnerability has been resolved:
 netfilter: ipset: Hold module reference while requesting a module

 CVE-2024-56642:
 In the Linux kernel, the following vulnerability has been resolved:
 tipc: Fix use-after-free of kernel socket in cleanup_bearer().

 CVE-2024-56644:
 In the Linux kernel, the following vulnerability has been resolved:
 net/ipv6: release expired exception dst cached in socket

 CVE-2024-56664:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf, sockmap: Fix race between element replace and close()

 CVE-2024-56672:
 In the Linux kernel, the following vulnerability has been resolved:
 blk-cgroup: Fix UAF in blkcg_unpin_online()

 CVE-2024-56686:
 [REJECTED CVE] A vulnerability was identified in the ext4 filesystem of the Linux kernel, where a race condition in buffer_head read fault injection could lead to clearing the buffer_uptodate flag on active buffers. This occurred due to a non-atomic interaction between buffer read completion and fault injection, potentially causing inode bitmap read failures and warnings. An attacker with control over fault injection mechanisms could exploit this issue to trigger filesystem inconsistencies or denial-of-service (DoS) conditions by forcing invalid buffer states, leading to unexpected crashes or errors.

 CVE-2024-56688:
 In the Linux kernel, the following vulnerability has been resolved:
 sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport

 CVE-2024-56694:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: fix recursive lock when verdict program return SK_PASS

 CVE-2024-56698:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: dwc3: gadget: Fix looping of queued SG entries

 CVE-2024-56739:
 In the Linux kernel, the following vulnerability has been resolved:
 rtc: check if __rtc_read_time was successful in rtc_timer_do_work()

 CVE-2024-56747:
 In the Linux kernel, the following vulnerability has been resolved:
 scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()

 CVE-2024-56751:
 In the Linux kernel, the following vulnerability has been resolved:
 ipv6: release nexthop on device removal

 CVE-2024-56756:
 In the Linux kernel, the following vulnerability has been resolved:
 nvme-pci: fix freeing of the HMB descriptor table

 CVE-2024-56779:
 In the Linux kernel, the following vulnerability has been resolved:
 nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur

 CVE-2024-56780:
 In the Linux kernel, the following vulnerability has been resolved:
 quota: flush quota_release_work upon quota writeback

 CVE-2024-57807:
 In the Linux kernel, the following vulnerability has been resolved:
 scsi: megaraid_sas: Fix for a potential deadlock

 CVE-2024-57888:
 In the Linux kernel, the following vulnerability has been resolved:
 workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker

 CVE-2024-57889:
 In the Linux kernel, the following vulnerability has been resolved:
 pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

 CVE-2024-57903:
 In the Linux kernel, the following vulnerability has been resolved:
 net: restrict SO_REUSEPORT to inet sockets

 CVE-2024-57913:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

 CVE-2024-57917:
 In the Linux kernel, the following vulnerability has been resolved:
 topology: Keep the cpumask unchanged when printing cpumap

 CVE-2024-57929:
 In the Linux kernel, the following vulnerability has been resolved:
 dm array: fix releasing a faulty array block twice in dm_array_cursor_end

 CVE-2024-57951:
 In the Linux kernel, the following vulnerability has been resolved:
 hrtimers: Handle CPU state correctly on hotplug

 CVE-2024-57981:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: xhci: Fix NULL pointer dereference on certain command aborts

 CVE-2024-58010:
 In the Linux kernel, the following vulnerability has been resolved:
 binfmt_flat: Fix integer overflow bug on 32 bit systems

 CVE-2025-21656:
 In the Linux kernel, the following vulnerability has been resolved:
 hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur

 CVE-2025-21664:
 In the Linux kernel, the following vulnerability has been resolved:
 dm thin: make get_first_thin use rcu-safe list first function

 CVE-2025-21683:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: Fix bpf_sk_select_reuseport() memory leak

 CVE-2025-21689:
 In the Linux kernel, the following vulnerability has been resolved:
 USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()

 CVE-2025-21699:
 In the Linux kernel, the following vulnerability has been resolved:
 gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag

 CVE-2025-21704:
 In the Linux kernel, the following vulnerability has been resolved:
 usb: cdc-acm: Check control transfer buffer size before access

 CVE-2025-21724:
 In the Linux kernel, the following vulnerability has been resolved:
 iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant 1 (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior.
 The constant 1 defaults to a 32-bit int, and when pgshift exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type.
 To resolve this, the constant is updated to 1UL, promoting it to an unsigned long type to match the operand's type.

 CVE-2025-21726:
 In the Linux kernel, the following vulnerability has been resolved:
 padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below:
 crypto_requestcrypto_requestcrypto_del_alg padata_do_serial ...
 padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break;
 ...
 } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ...
 <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.

 CVE-2025-21727:
 In the Linux kernel, the following vulnerability has been resolved:
 padata: fix UAF in padata_reorder A bug was found when run ltp test:
 BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
 <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01).
 This can be explained as bellow:
 pcrypt_aead_encrypt ...
 padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ...
 padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ...
 padata_serial_workercrypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd);
 // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF.
 As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish.
 [1] https://lore.kernel.org/all/[email protected]/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/

 CVE-2025-21728:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep.
 Change `irqs_disabled()` to `!preemptible()`.

 CVE-2025-21731:
 In the Linux kernel, the following vulnerability has been resolved:
 nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF:
 1) grab nbd_config temporarily;
 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference:
 nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put
 -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again;
 nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config)
 -> succeed if (!test_bit(NBD_RT_BOUND, ...))
 -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference;
 5) Finially, recv_work() will trigger UAF:
 recv_work nbd_config_put(nbd)
 -> nbd_config is freed atomic_dec(&config->recv_threads)
 -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.

 CVE-2025-21734:
 In the Linux kernel, the following vulnerability has been resolved:
 misc: fastrpc: Fix copy buffer page size For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improper and out-of-bounds page size which could result in memory issue. Calculate page start and page end using the offset adjusted address instead of absolute address.

 CVE-2025-21745:
 In the Linux kernel, the following vulnerability has been resolved:
 blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage.
 Fix by ending the iterating with class_dev_iter_exit().

 CVE-2025-21787:
 In the Linux kernel, the following vulnerability has been resolved:
 team: better TEAM_OPTION_TYPE_STRING validation syzbot reported following splat [1] Make sure user-provided data contains one nul byte.
 [1] BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 string_nocheck lib/vsprintf.c:633 [inline] string+0x3ec/0x5f0 lib/vsprintf.c:714 vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
 __request_module+0x252/0x9f0 kernel/module/kmod.c:149 team_mode_get drivers/net/team/team_core.c:480 [inline] team_change_mode drivers/net/team/team_core.c:607 [inline] team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401 team_option_set drivers/net/team/team_core.c:375 [inline] team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg+0x30f/0x380 net/socket.c:733
 ____sys_sendmsg+0x877/0xb60 net/socket.c:2573
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
 __sys_sendmsg net/socket.c:2659 [inline]
 __do_sys_sendmsg net/socket.c:2664 [inline]
 __se_sys_sendmsg net/socket.c:2662 [inline]
 __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662 x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

 CVE-2025-21804:
 In the Linux kernel, the following vulnerability has been resolved:
 PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is then passed on as one of the macro arguments. This can lead to undefined behavior.
 Depending on the current contents of the memory, the manifestations of errors may vary. One possible output may be as follows:
 $ cat /proc/iomem 30000000-37ffffff :
 38000000-3fffffff :
 Sometimes, garbage may appear after the colon.
 In very rare cases, if no NULL-terminator is found in memory, the system might crash because the string iterator will overrun which can lead to access of unmapped memory above the stack.
 Thus, fix this by replacing outbound_name with the name of the previously requested resource. With the changes applied, the output will be as follows:
 $ cat /proc/iomem 30000000-37ffffff : memory2 38000000-3fffffff : memory3 [kwilczynski: commit log]

 CVE-2025-21814:
 In the Linux kernel, the following vulnerability has been resolved:
 ptp: Ensure info->enable callback is always set The ioctl and sysfs handlers unconditionally call the ->enable callback.
 Not all drivers implement that callback, leading to NULL dereferences.
 Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.
 Instead use a dummy callback if no better was specified by the driver.

 CVE-2025-21844:
 In the Linux kernel, the following vulnerability has been resolved:
 smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference.

 CVE-2025-21853:
 In the Linux kernel, the following vulnerability has been resolved:
 bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0].
 So, instead, hold freeze_mutex only during writeability checks, bump (proactively) write active count for the map, unlock the mutex and proceed with mmap logic. And only if something went wrong during mmap logic, then undo that write active counter increment.
 [0] https://lore.kernel.org/bpf/[email protected]/

 CVE-2025-21887:
 In the Linux kernel, the following vulnerability has been resolved:
 ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote().
 Move dput(upper) after its last use to prevent use-after-free.
 BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ...
 </TASK>

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20250075.xml

Plugin Details

Severity: Critical

ID: 237278

File Name: alinux3_sa_2025-0075.nasl

Version: 1.1

Type: local

Published: 5/27/2025

Updated: 5/27/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2024-47685

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules-extra, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:bpftool, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:perf-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-libs, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debuginfo-common-aarch64, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-headers, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules-internal, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debuginfo-common-x86_64, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:bpftool-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:python3-perf, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-libs-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-debug-modules-extra, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:perf, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-tools-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-core, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:kernel-modules-internal, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:python3-perf-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Alibaba/release, Host/Alibaba/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/21/2025

Vulnerability Publication Date: 7/21/2021

CISA Known Exploited Vulnerability Due Dates: 2/26/2025

Reference Information

CVE: CVE-2022-48635, CVE-2022-48639, CVE-2022-48644, CVE-2022-48651, CVE-2022-48675, CVE-2022-48828, CVE-2022-48946, CVE-2022-48981, CVE-2022-48993, CVE-2022-49014, CVE-2022-49046, CVE-2022-49190, CVE-2022-49219, CVE-2022-49398, CVE-2022-49443, CVE-2022-49444, CVE-2022-49562, CVE-2022-49711, CVE-2023-52448, CVE-2023-52463, CVE-2023-52464, CVE-2023-52477, CVE-2023-52486, CVE-2023-52503, CVE-2023-52618, CVE-2023-52702, CVE-2023-52756, CVE-2023-52759, CVE-2023-52789, CVE-2023-52836, CVE-2023-52880, CVE-2023-52898, CVE-2023-52917, CVE-2024-26591, CVE-2024-26598, CVE-2024-26629, CVE-2024-26641, CVE-2024-26642, CVE-2024-26718, CVE-2024-26749, CVE-2024-26778, CVE-2024-26808, CVE-2024-26810, CVE-2024-26812, CVE-2024-26934, CVE-2024-26970, CVE-2024-26977, CVE-2024-26988, CVE-2024-27020, CVE-2024-27389, CVE-2024-27437, CVE-2024-35791, CVE-2024-35947, CVE-2024-36476, CVE-2024-36489, CVE-2024-36953, CVE-2024-37356, CVE-2024-38577, CVE-2024-38601, CVE-2024-38605, CVE-2024-39468, CVE-2024-39480, CVE-2024-41004, CVE-2024-41023, CVE-2024-41045, CVE-2024-42084, CVE-2024-42143, CVE-2024-42161, CVE-2024-42239, CVE-2024-42246, CVE-2024-42283, CVE-2024-42312, CVE-2024-43098, CVE-2024-43817, CVE-2024-43846, CVE-2024-43883, CVE-2024-43889, CVE-2024-43890, CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43914, CVE-2024-44944, CVE-2024-44989, CVE-2024-44990, CVE-2024-45006, CVE-2024-46674, CVE-2024-46675, CVE-2024-46707, CVE-2024-46719, CVE-2024-46735, CVE-2024-46743, CVE-2024-46750, CVE-2024-46763, CVE-2024-46782, CVE-2024-46787, CVE-2024-46829, CVE-2024-47667, CVE-2024-47668, CVE-2024-47671, CVE-2024-47679, CVE-2024-47685, CVE-2024-47692, CVE-2024-47695, CVE-2024-47705, CVE-2024-47706, CVE-2024-47707, CVE-2024-47736, CVE-2024-47737, CVE-2024-47739, CVE-2024-47742, CVE-2024-47755, CVE-2024-48881, CVE-2024-49569, CVE-2024-49851, CVE-2024-49858, CVE-2024-49878, CVE-2024-49924, CVE-2024-49933, CVE-2024-49948, CVE-2024-49949, CVE-2024-49952, CVE-2024-49954, CVE-2024-49963, CVE-2024-49975, CVE-2024-49978, CVE-2024-50002, CVE-2024-50036, CVE-2024-50045, CVE-2024-50046, CVE-2024-50059, CVE-2024-50082, CVE-2024-50083, CVE-2024-50115, CVE-2024-50131, CVE-2024-50150, CVE-2024-50151, CVE-2024-50153, CVE-2024-50179, CVE-2024-50180, CVE-2024-50181, CVE-2024-50251, CVE-2024-50256, CVE-2024-50258, CVE-2024-50264, CVE-2024-50267, CVE-2024-50269, CVE-2024-50301, CVE-2024-50304, CVE-2024-53054, CVE-2024-53066, CVE-2024-53068, CVE-2024-53103, CVE-2024-53104, CVE-2024-53119, CVE-2024-53122, CVE-2024-53124, CVE-2024-53125, CVE-2024-53140, CVE-2024-53141, CVE-2024-53146, CVE-2024-53157, CVE-2024-53161, CVE-2024-53172, CVE-2024-53174, CVE-2024-53194, CVE-2024-53214, CVE-2024-53234, CVE-2024-56558, CVE-2024-56569, CVE-2024-56570, CVE-2024-56583, CVE-2024-56600, CVE-2024-56602, CVE-2024-56605, CVE-2024-56606, CVE-2024-56610, CVE-2024-56614, CVE-2024-56636, CVE-2024-56637, CVE-2024-56642, CVE-2024-56644, CVE-2024-56664, CVE-2024-56672, CVE-2024-56686, CVE-2024-56688, CVE-2024-56694, CVE-2024-56698, CVE-2024-56739, CVE-2024-56747, CVE-2024-56751, CVE-2024-56756, CVE-2024-56779, CVE-2024-56780, CVE-2024-57807, CVE-2024-57888, CVE-2024-57889, CVE-2024-57903, CVE-2024-57913, CVE-2024-57917, CVE-2024-57929, CVE-2024-57951, CVE-2024-57981, CVE-2024-58010, CVE-2025-21656, CVE-2025-21664, CVE-2025-21683, CVE-2025-21689, CVE-2025-21699, CVE-2025-21704, CVE-2025-21724, CVE-2025-21726, CVE-2025-21727, CVE-2025-21728, CVE-2025-21731, CVE-2025-21734, CVE-2025-21745, CVE-2025-21787, CVE-2025-21804, CVE-2025-21814, CVE-2025-21844, CVE-2025-21853, CVE-2025-21887