Detections
Analytics

MiracleLinux 7 : kernel-3.10.0-1160.119.1.0.1.el7.AXS7 (AXSA:2024-8651:24)

high Nessus Plugin ID 292383

Synopsis

The remote MiracleLinux host is missing one or more security updates.

Description

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8651:24 advisory.

 - kvm: initialize all of the kvm_debugregs structure before sending it to userspace {CVE-2023-1513}
 - wifi: mac80211: fix MBSSID parsing use-after-free {CVE-2022-42719}
 - mac80211: always allocate struct ieee802_11_elems {CVE-2022-42719}
 - netfilter: nf_tables: initialize registers in nft_do_chain() {CVE-2022-1016}
 - xprtrdma: fix incorrect header size calculations {CVE-2022-0812}
 - net: usb: fix memory leak in smsc75xx_bind {CVE-2021-47171}
 - i2c: i801: Don't generate an interrupt on bus reset {CVE-2021-47153}
 - pid: take a reference when initializing `cad_pid` {CVE-2021-47118}
 - Input: appletouch - initialize work before device registration {CVE-2021-46932}
 - HID: usbhid: fix info leak in hid_submit_ctrl {CVE-2021-46906}
 - quota: check block number when reading the block in quota file {CVE-2021-45868}
 - mwifiex: Fix skb_over_panic in mwifiex_usb_recv() {CVE-2021-43976}
 - atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait {CVE-2021-43975}
 - isdn: cpai: check ctr->cnr to avoid array index out of bound {CVE-2021-43389}
 - usb: hso: fix error handling code of hso_create_net_device {CVE-2021-37159}
 - can: bcm: fix infoleak in struct bcm_msg_head {CVE-2021-34693}
 - dm ioctl: fix out of bounds array access when no devices {CVE-2021-31916}
 - KVM: x86: hyper-v: Fix Hyper-V context null-ptr-deref {CVE-2021-30178}
 - perf/x86/intel: Fix a crash caused by zero PEBS status {CVE-2021-28971}
 - btrfs: fix race when cloning extent buffer during rewind of an old root {CVE-2021-28964}
 - ovl: fix missing negative dentry check in ovl_rename() {CVE-2021-20321}
 - drm/ttm/nouveau: don't call tt destroy callback on alloc failure. {CVE-2021-20292}
 - bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() {CVE-2021-4159}
 - btrfs: unlock newly allocated extent buffer after error {CVE-2021-4149}
 - tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. {CVE-2021-3679}
 - net: mac802154: Fix general protection fault {CVE-2021-3659}
 - nfsd4: readdirplus shouldn't return parent of export {CVE-2021-3178}
 - Bluetooth: SMP: Fail if remote and local public keys are identical {CVE-2021-0129}
 - drm/nouveau: clean up all clients on device removal {CVE-2020-27820}
 - drm/nouveau: Add a dedicated mutex for the clients list {CVE-2020-27820}
 - drm/nouveau: use drm_dev_unplug() during device removal {CVE-2020-27820}
 - Bluetooth: SMP: Fail if remote and local public keys are identical {CVE-2020-26555}
 - vsock: Fix memory leak in vsock_connect() {CVE-2022-3629}
 - RDMA/core: Don't infoleak GRH fields {CVE-2021-3923}
 - xen/netfront: force data bouncing when backend is untrusted {CVE-2022-33741}
 - net: Rename and export copy_skb_header
 - floppy: use a statically allocated error counter {CVE-2022-1652}
 - fuse: fix pipe buffer lifetime for direct_io {CVE-2022-1011}
 - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts {CVE-2024-26898}
 - smb: client: fix use-after-free bug in cifs_debug_data_proc_show() {CVE-2023-52752}
 - media: pvrusb2: fix use after free on context disconnection {CVE-2023-52445}
 - media: dm1105: Fix use after free bug in dm1105_remove due to race condition {CVE-2023-35824}
 - perf: Fix perf_event_validate_size() lockdep splat {CVE-2023-6931}
 - perf: Fix perf_event_validate_size() {CVE-2023-6931}
 - net/sched: sch_hfsc: Ensure inner classes have fsc curve {CVE-2023-4623}
 - relayfs: fix out-of-bounds access in relay_file_read {CVE-2023-3268}
 - xfs: verify buffer contents when we skip log replay {CVE-2023-2124}
 - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition {CVE-2023-1989}
 - Fix double fget() in vhost_net_set_backend() {CVE-2023-1838}
 - net/sched: cls_tcindex: downgrade to imperfect hash {CVE-2023-1829}
 - xen/netfront: fix leaking data in shared pages {CVE-2022-33740}
 - can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path {CVE-2022-28390}
 - xen/blkfront: fix leaking data in shared pages {CVE-2022-26365}
 - mISDN: fix use-after-free bugs in l1oip timer handlers {CVE-2022-3565}
 - drm/vgem: Close use-after-free race in vgem_gem_create {CVE-2022-1419}
 - cfg80211: call cfg80211_stop_ap when switch from P2P_GO type {CVE-2021-47194}
 - net: fix use-after-free in tw_timer_handler {CVE-2021-46936}
 - ext4: fix race writing to an inline_data file while its xattrs are changing {CVE-2021-40490}
 - virtio_console: Assure used length from device is limited {CVE-2021-38160}
 - pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() {CVE-2021-4157}
 - Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() {CVE-2021-3640}
 - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl {CVE-2021-3612}
 - Input: joydev - prevent potential read overflow in ioctl {CVE-2021-3612}
 - can: bcm: delay release of struct bcm_op after synchronize_rcu() {CVE-2021-3609}
 - vt: keyboard: avoid signed integer overflow in k_ascii {CVE-2020-13974}
 - i2c: Fix a potential use after free {CVE-2019-25162}
 - drivers: net: slip: fix NPD bug in sl_tx_timeout() {CVE-2022-41858}
 - Bluetooth: L2CAP: Fix u8 overflow {CVE-2022-45934}
 - btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() {CVE-2023-3111}
 - memstick: r592: Fix UAF bug in r592_remove due to race condition {CVE-2023-3141}
 - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() {CVE-2023-1118}
 - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF {CVE-2023-3567}
 - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb {CVE-2023-40283}
 - wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() {CVE-2023-1380}
 - tcp: Fix data races around icsk->icsk_af_ops. {CVE-2022-3566}
 - staging: rtl8712: fix use after free bugs {CVE-2022-4095}
 - ext4: fix kernel infoleak via ext4_extent_header {CVE-2022-0850}
 - af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register {CVE-2022-1353}
 - misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os {CVE-2022-3424}
 - x86/elf: Disable automatic READ_IMPLIES_EXEC on 64-bit {CVE-2022-25265}
 - x86/elf: Split READ_IMPLIES_EXEC from executable PT_GNU_STACK {CVE-2022-25265}
 - x86/elf: Add table to document READ_IMPLIES_EXEC {CVE-2022-25265}
 - ipv6: use prandom_u32() for ID generation {CVE-2021-45485}
 - bpf: Fix integer overflow in prealloc_elems_and_freelist() {CVE-2021-41864}
 - ipv4: make exception cache less predictible {CVE-2021-20322}
 - ipv4: use siphash instead of Jenkins in fnhe_hashfun() {CVE-2021-20322}
 - net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf() {CVE-2023-4387}
 - netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one {CVE-2023-39197}
 - ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet {CVE-2023-6932}
 - smb: client: fix potential OOB in smb2_dump_detail() {CVE-2023-6610}
 - smb: client: fix OOB in smbCalcSize() {CVE-2023-6606}
 - atm: Fix Use-After-Free in do_vcc_ioctl {CVE-2023-51780}
 - drm/amdgpu: Fix potential fence use-after-free v2 {CVE-2023-51042}
 - sched/rt: pick_next_rt_entity(): check list_entry {CVE-2023-1077}
 - ath9k: fix use-after-free in ath9k_hif_usb_rx_cb {CVE-2022-1679}
 - net: prevent mss overflow in skb_segment() {CVE-2023-52435}
 - drm/atomic: Fix potential use-after-free in nonblocking commits {CVE-2023-42753}
 - debug: Lock down kgdb {CVE-2022-21499} CVE-2023-1513 A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.
 CVE-2022-42719 A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
 CVE-2022-1016 A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
 CVE-2022-0812 An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.
 CVE-2021-47171 In the Linux kernel, the following vulnerability has been resolved: net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [] kmalloc include/linux/slab.h:556 [inline] [] kzalloc include/linux/slab.h:686 [inline] [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47153 In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of- range memory access. This condition was reproduced several times by syzbot:
 https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction.
 CVE-2021-47118 In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ([PATCH] replace cad_pid by a struct pid) from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`.
 Full KASAN splat below. ================================================================== BUG: KASAN:
 use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz- executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270:
 slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff
 ---truncated--- CVE-2021-46932 In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46906 In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().
 CVE-2021-45868 In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
 CVE-2021-43976 In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
 CVE-2021-43975 In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.
 CVE-2021-43389 An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
 CVE-2021-37159 hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
 CVE-2021-34693 net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
 CVE-2021-31916 An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
 CVE-2021-30178 An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.
 CVE-2021-28971 In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
 CVE-2021-28964 A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.
 CVE-2021-20321 A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
 CVE-2021-20292 There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
 CVE-2021-4159 A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
 Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
 CVE-2021-4149 A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.
 CVE-2021-3679 A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
 CVE-2021-3659 A NULL pointer dereference flaw was found in the Linux kernels IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.
 CVE-2021-3178
 ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.
 CVE-2021-0129 Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
 CVE-2020-27820 A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver).
 CVE-2020-26555 Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.
 CVE-2022-3629 A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
 The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
 CVE-2021-3923 A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
 CVE-2022-33741 Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
 CVE-2022-1652 Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
 CVE-2022-1011 A use-after-free flaw was found in the Linux kernels FUSE filesystem in the way a user triggers write().
 This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
 CVE-2024-26898 In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
 CVE-2023-52752 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52445 In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.
 CVE-2023-35824 An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
 CVE-2023-6931 A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.
 CVE-2023-4623 A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.
 CVE-2023-3268 An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
 CVE-2023-2124 An out-of-bounds memory access flaw was found in the Linux kernels XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the sys ...

 Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://tsn.miraclelinux.com/en/node/19835

Plugin Details

Severity: High

ID: 292383

File Name: miracle_linux_AXSA-2024-8651.nasl

Version: 1.1

Type: local

Published: 1/20/2026

Updated: 1/20/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.4

Temporal Score: 5.8

Vector: CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-4157

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-42719

Vulnerability Information

CPE: p-cpe:/a:miracle:linux:kernel-tools-libs, p-cpe:/a:miracle:linux:kernel-tools, p-cpe:/a:miracle:linux:kernel-debug, p-cpe:/a:miracle:linux:kernel-debug-devel, p-cpe:/a:miracle:linux:bpftool, p-cpe:/a:miracle:linux:perf, p-cpe:/a:miracle:linux:kernel, p-cpe:/a:miracle:linux:kernel-headers, p-cpe:/a:miracle:linux:python-perf, p-cpe:/a:miracle:linux:kernel-abi-whitelists, cpe:/o:miracle:linux:7, p-cpe:/a:miracle:linux:kernel-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/9/2024

Vulnerability Publication Date: 6/9/2020

Reference Information

CVE: CVE-2019-25162, CVE-2020-13974, CVE-2020-26555, CVE-2020-27820, CVE-2021-0129, CVE-2021-20292, CVE-2021-20321, CVE-2021-20322, CVE-2021-28964, CVE-2021-28971, CVE-2021-30178, CVE-2021-3178, CVE-2021-31916, CVE-2021-34693, CVE-2021-3609, CVE-2021-3612, CVE-2021-3640, CVE-2021-3659, CVE-2021-3679, CVE-2021-37159, CVE-2021-38160, CVE-2021-3923, CVE-2021-40490, CVE-2021-4149, CVE-2021-4157, CVE-2021-4159, CVE-2021-41864, CVE-2021-43389, CVE-2021-43975, CVE-2021-43976, CVE-2021-45485, CVE-2021-45868, CVE-2021-46906, CVE-2021-46932, CVE-2021-46936, CVE-2021-47118, CVE-2021-47153, CVE-2021-47171, CVE-2021-47194, CVE-2022-0812, CVE-2022-0850, CVE-2022-1011, CVE-2022-1016, CVE-2022-1353, CVE-2022-1419, CVE-2022-1652, CVE-2022-1679, CVE-2022-21499, CVE-2022-25265, CVE-2022-26365, CVE-2022-28390, CVE-2022-33740, CVE-2022-33741, CVE-2022-3424, CVE-2022-3565, CVE-2022-3566, CVE-2022-3629, CVE-2022-4095, CVE-2022-41858, CVE-2022-42719, CVE-2022-45934, CVE-2023-1077, CVE-2023-1118, CVE-2023-1380, CVE-2023-1513, CVE-2023-1829, CVE-2023-1838, CVE-2023-1989, CVE-2023-2124, CVE-2023-3111, CVE-2023-3141, CVE-2023-3268, CVE-2023-3567, CVE-2023-35824, CVE-2023-39197, CVE-2023-40283, CVE-2023-42753, CVE-2023-4387, CVE-2023-4623, CVE-2023-51042, CVE-2023-51780, CVE-2023-52435, CVE-2023-52445, CVE-2023-52752, CVE-2023-6606, CVE-2023-6610, CVE-2023-6931, CVE-2023-6932, CVE-2024-26898