Merge pull request #63 from canonical/workbench

cengiz-io · web-flow · commit db61c12dc46f · 2025-09-30T04:36:43.000+03:00
Week 40
diff --git a/vulns/CVE-2021-47294.yml b/vulns/CVE-2021-47294.yml
@@ -0,0 +1,7 @@
+reachability: Potentially Remote
+memory_corruption: no
+bug_class: memory leak
+impact: decreased system performance, warning
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2021-47319.yml b/vulns/CVE-2021-47319.yml
@@ -0,0 +1,7 @@
+reachability: VM
+memory_corruption: no
+bug_class: Memory leak
+impact: decreased system performance, warning
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2021-47330.yml b/vulns/CVE-2021-47330.yml
@@ -0,0 +1,7 @@
+reachability: local
+memory_corruption: no
+bug_class: memory leak
+impact: decreased system performance, warning
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2021-47385.yml b/vulns/CVE-2021-47385.yml
@@ -0,0 +1,7 @@
+reachability: local
+memory_corruption: no
+bug_class: Null-Pointer Dereference
+impact: Panic/crash
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2021-47589.yml b/vulns/CVE-2021-47589.yml
@@ -0,0 +1,7 @@
+reachability: no
+memory_corruption: yes
+bug_class: double free
+impact: crash/unexpected behavior
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2022-49390.yml b/vulns/CVE-2022-49390.yml
@@ -0,0 +1,8 @@
+reachability: local
+memory_corruption: No
+bug_class: UAF
+impact: access data, unexpected behavior
+privileges_required: ''
+notes: create a new macsec device without reference to real_dev, can lead
+  to UAF bug for real_dev
+author: Canonical
diff --git a/vulns/CVE-2022-50233.yml b/vulns/CVE-2022-50233.yml
@@ -0,0 +1,8 @@
+reachability: Local
+memory_corruption: 'True'
+bug_class: Buffer corruption
+impact: kernel crash
+privileges_required: CAP_NET_ADMIN
+notes: This is a bluetooth device name buffer overflow that is not easy to
+  trigger but still feasible
+author: Canonical
diff --git a/vulns/CVE-2023-4458.yml b/vulns/CVE-2023-4458.yml
@@ -0,0 +1,7 @@
+reachability: remote
+memory_corruption: no
+bug_class: OOB read
+impact: access data, unexpected behavior
+privileges_required: Yes
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2023-52572.yml b/vulns/CVE-2023-52572.yml
@@ -0,0 +1,7 @@
+reachability: maybe remote
+memory_corruption: no
+bug_class: UAF
+impact: access data, unexpected behavior
+privileges_required: yes
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2023-52751.yml b/vulns/CVE-2023-52751.yml
@@ -0,0 +1,7 @@
+reachability: maybe remote
+memory_corruption: no
+bug_class: UAF
+impact: access data, unexpected behavior
+privileges_required: yes
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2023-52885.yml b/vulns/CVE-2023-52885.yml
@@ -0,0 +1,8 @@
+reachability: remote
+memory_corruption: No
+bug_class: Use-after-Free
+impact: access data, unexpected behavior
+privileges_required: ''
+notes: The vulnerability is a use-after-free (read) that can be triggered
+  remotely by winning a race condition.
+author: Canonical
diff --git a/vulns/CVE-2023-52975.yml b/vulns/CVE-2023-52975.yml
@@ -0,0 +1,8 @@
+reachability: maybe remote
+memory_corruption: yes
+bug_class: UAF
+impact: currupt data/crash
+privileges_required: ''
+notes: during iSCSI session logout, if another task accesses the shost ipaddress
+  attr, we can get a UAF write
+author: Canonical
diff --git a/vulns/CVE-2023-53138.yml b/vulns/CVE-2023-53138.yml
@@ -0,0 +1,8 @@
+reachability: Local
+memory_corruption: yes
+bug_class: UAF read
+impact: DoS
+privileges_required: CAP_NET_ADMIN
+notes: Requires creating and then unregistering a CAIF network device in a
+  special way.
+author: Canonical
diff --git a/vulns/CVE-2024-26852.yml b/vulns/CVE-2024-26852.yml
@@ -0,0 +1,7 @@
+reachability: maybe remote
+memory_corruption: no
+bug_class: UAF read
+impact: access data, unexpected behavior
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2024-49883.yml b/vulns/CVE-2024-49883.yml
@@ -0,0 +1,8 @@
+reachability: Local
+memory_corruption: no
+bug_class: Use-after-free
+impact: data integrity
+privileges_required: ''
+notes: The vulnerability is a use-after-free (read) that must be triggered
+  locally.
+author: Canonical
diff --git a/vulns/CVE-2024-49950.yml b/vulns/CVE-2024-49950.yml
@@ -0,0 +1,7 @@
+reachability: maybe remote
+memory_corruption: no
+bug_class: UAF
+impact: access data, unexpected behavior
+privileges_required: ''
+notes: affects L2CAP connection handling in the bluetooth stack
+author: Canonical
diff --git a/vulns/CVE-2024-50073.yml b/vulns/CVE-2024-50073.yml
@@ -0,0 +1,9 @@
+reachability: maybe remote
+memory_corruption: no
+bug_class: Deadlock
+impact: hang
+privileges_required: ''
+notes: affects the GSM 07.10 multiplexer line discipline in the TTY subsystem
+  -  improper acquisition or release of the tx_lock spinlock, potentially
+  resulting in deadlocks during multiplexer teardown or data transmission.
+author: Canonical
diff --git a/vulns/CVE-2024-50178.yml b/vulns/CVE-2024-50178.yml
@@ -0,0 +1,7 @@
+reachability: local
+memory_corruption: no
+bug_class: lock issue
+impact: damage data, unexpected behavior
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2024-50183.yml b/vulns/CVE-2024-50183.yml
@@ -0,0 +1,7 @@
+reachability: local
+memory_corruption: no
+bug_class: hang
+impact: unpredicted behavior
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2024-53114.yml b/vulns/CVE-2024-53114.yml
@@ -0,0 +1,7 @@
+reachability: local
+memory_corruption: No
+bug_class: Logic error
+impact: random host reboot
+privileges_required: yes
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2024-53124.yml b/vulns/CVE-2024-53124.yml
@@ -0,0 +1,7 @@
+reachability: maybe remote
+memory_corruption: yes
+bug_class: Memory corruption
+impact: unpredicted system behavior
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2024-53217.yml b/vulns/CVE-2024-53217.yml
@@ -0,0 +1,7 @@
+reachability: Potentially Remote
+memory_corruption: No
+bug_class: Null-Pointer Dereference
+impact: DoS
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2024-54458.yml b/vulns/CVE-2024-54458.yml
@@ -0,0 +1,8 @@
+reachability: local
+memory_corruption: no
+bug_class: UaF
+impact: access data, unexpected behavior
+privileges_required: high
+notes: according to the fix author this vulnerability doesn't currently cause
+  any issues
+author: Canonical
diff --git a/vulns/CVE-2025-21727.yml b/vulns/CVE-2025-21727.yml
@@ -0,0 +1,7 @@
+reachability: local
+memory_corruption: no
+bug_class: Use-after-free
+impact: access data, unexpected behavior
+privileges_required: ''
+notes: ''
+author: Canonical
diff --git a/vulns/CVE-2025-21887.yml b/vulns/CVE-2025-21887.yml
@@ -0,0 +1,7 @@
+reachability: Local
+memory_corruption: No
+bug_class: UAF
+impact: ''
+privileges_required: low
+notes: assumes an OverlayFS has already been mounted (container use case)
+author: Canonical
diff --git a/vulns/CVE-2025-37838.yml b/vulns/CVE-2025-37838.yml
@@ -0,0 +1,9 @@
+reachability: Local
+memory_corruption: Yes
+bug_class: Use-after-free
+impact: potential crash or system instability
+privileges_required: High
+notes: Practically requires CAP_SYS_MODULE/root to unload the module and hit
+  the race. Also the HSI/ssi_protocol driver is not present in most Ubuntu
+  flavors.
+author: Canonical
diff --git a/vulns/CVE-2025-38056.yml b/vulns/CVE-2025-38056.yml
@@ -0,0 +1,7 @@
+reachability: Local
+memory_corruption: 'True'
+bug_class: UAF read
+impact: Local privilege escalation
+privileges_required: root
+notes: Requires a privileged party to remove and insert the sound driver module
+author: Canonical
diff --git a/vulns/CVE-2025-38352.yml b/vulns/CVE-2025-38352.yml
@@ -3,15 +3,11 @@ memory_corruption: no
 bug_class: Race
 impact: DoS
 privileges_required: no
-notes:
-A race problem was observed between handle_posix_cpu_timers() and posix_cpu_timer_del() in kernel/time/posix-cpu-timers.c
-
-If an exiting non-autoreaping task has already passed exit_notify() and
-calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
-or debugger right after unlock_task_sighand().
-
-If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
-able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
-lock_task_sighand() will fail.
+notes: |
+  handle_posix_cpu_timers() can race with posix_cpu_timer_del() in
+  kernel/time/posix-cpu-timers.c when a non-autoreaping task exits after
+  exit_notify() and runs handle_posix_cpu_timers() from IRQ. The parent or
+  debugger can reap the task after unlock_task_sighand(), and a concurrent
+  posix_cpu_timer_del() then fails to observe timer->it.cpu.firing != 0 because
+  cpu_timer_task_rcu() or lock_task_sighand() fails.
 author: RedHat
-
diff --git a/vulns/CVE-2025-38514.yml b/vulns/CVE-2025-38514.yml
@@ -3,10 +3,8 @@ memory_corruption: no
 bug_class: Oops
 impact: DoS
 privileges_required: no
-notes:
-If an AF_RXRPC service socket is opened and bound, but calls are
-preallocated, then rxrpc_alloc_incoming_call() will oops because the
-rxrpc_backlog struct doesn't get allocated until the first preallocation is
-made.
+notes: |
+  If an AF_RXRPC service socket is opened and bound but calls are
+  preallocated, rxrpc_alloc_incoming_call() will oops because rxrpc_backlog is
+  allocated only when the first preallocation is made.
 author: RedHat
-
diff --git a/vulns/CVE-2025-38541.yml b/vulns/CVE-2025-38541.yml
@@ -0,0 +1,8 @@
+reachability: Local
+memory_corruption: No
+bug_class: Null pointer dereference
+impact: DoS
+privileges_required: ''
+notes: Need to have a valid device name long enough to make `kasprintf ` run
+  out of memory.
+author: Canonical
diff --git a/vulns/CVE-2025-38559.yml b/vulns/CVE-2025-38559.yml
@@ -3,11 +3,8 @@ memory_corruption: no
 bug_class: Null Pointer Dereference
 impact: DoS
 privileges_required: no
-notes:
-Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The
-current use of the endpoint value is only valid for telemetry endpoint
-usage.
-Without the ep, the crashlog usage causes the following NULL pointer
-exception:
+notes: |
+  intel_pmt_read() usage for binary sysfs requires a pcidev, but the current
+  endpoint-based access is valid only for telemetry endpoints. Without the ep
+  value the crashlog path triggers a null pointer exception.
 author: RedHat
-
diff --git a/vulns/CVE-2025-38589.yml b/vulns/CVE-2025-38589.yml
@@ -3,7 +3,6 @@ memory_corruption: no
 bug_class: Null Pointer Dereference
 impact: DoS
 privileges_required: no
-notes:
-A null-ptr-deref in neigh_flush_dev(). 
+notes: |
+  A null pointer dereference occurs in neigh_flush_dev().
 author: RedHat
-
diff --git a/vulns/CVE-2025-38606.yml b/vulns/CVE-2025-38606.yml
@@ -3,7 +3,7 @@ memory_corruption: no
 bug_class: Null Pointer Dereference
 impact: DoS
 privileges_required: no
-notes:
-An uninitialized data access (arvif->ar) during beacon miss lead to null pointer
+notes: |
+  An uninitialized access to arvif->ar during a beacon miss leads to a null
+  pointer dereference.
 author: RedHat
-
diff --git a/vulns/CVE-2025-39717.yml b/vulns/CVE-2025-39717.yml
@@ -3,20 +3,15 @@ memory_corruption: no
 bug_class: UAF
 impact: DoS
 privileges_required: no
-notes:
-As described in commit 7a54947e727b ('Merge patch series "fs: allow
-changing idmappings"'), open_tree_attr(2) was necessary in order to
-allow for a detached mount to be created and have its idmappings changed
-without the risk of any racing threads operating on it. For this reason,
-mount_setattr(2) still does not allow for id-mappings to be changed.
+notes: |
+  As described in commit 7a54947e727b (merge patch series 'fs: allow changing
+  idmappings'), open_tree_attr(2) is required to create a detached mount whose
+  idmapping can be modified without racing threads. mount_setattr(2) still
+  forbids idmapping changes for that reason.
 
-However, there was a bug in commit 2462651ffa76 which allowed users to bypass this restriction by calling
-open_tree_attr(2) without OPEN_TREE_CLONE.
-
-can_idmap_mount() prevented this bug from allowing an attached
-mountpoint's id-mapping from being modified (thanks to an is_anon_ns()
-check), but this still allows for detached (but visible) mounts to have
-their be id-mapping changed. This risks the same UAF and locking issues
-as described in the merge commit, and was likely unintentional.
+  Commit 2462651ffa76 inadvertently allowed bypassing the restriction by
+  calling open_tree_attr(2) without OPEN_TREE_CLONE. can_idmap_mount() blocks
+  updates to attached mounts through is_anon_ns(), but detached visible mounts
+  can still have their idmapping changed, reintroducing the UAF and locking
+  issues described in the merge commit.
 author: RedHat
-
diff --git a/vulns/CVE-2025-39727.yml b/vulns/CVE-2025-39727.yml
@@ -3,12 +3,11 @@ memory_corruption: yes
 bug_class: Buffer Overflow
 impact: DoS / Info Leak
 privileges_required: no
-notes:
-In setup_swap_map(), we only ensure badpages are in range (0, last_page].
-As maxpages might be < last_page, setup_clusters() will encounter a buffer
-overflow when a badpage is >= maxpages.
+notes: |
+  setup_swap_map() only ensures badpages fall within (0, last_page]. When
+  maxpages is smaller than last_page, setup_clusters() encounters a buffer
+  overflow once a badpage is greater than or equal to maxpages.
 
-Only call inc_cluster_info_page() for badpage which is < maxpages to fix
-the issue.
+  Only call inc_cluster_info_page() for badpages that are below maxpages to
+  avoid the overflow.
 author: RedHat
-
diff --git a/vulns/CVE-2025-39742.yml b/vulns/CVE-2025-39742.yml
@@ -3,10 +3,8 @@ memory_corruption: no
 bug_class: Divide-by-zero
 impact: DoS
 privileges_required: no
-notes:
-The function divides number of online CPUs by num_core_siblings, and
-later checks the divider by zero. This implies a possibility to get
-and divide-by-zero runtime error. Fix it by moving the check prior to
-division. This also helps to save one indentation level.
+notes: |
+  The code divides the number of online CPUs by num_core_siblings and only
+  later checks for zero, allowing a divide-by-zero. Moving the check before
+  the division prevents the runtime error.
 author: RedHat
-
diff --git a/vulns/CVE-2025-39757.yml b/vulns/CVE-2025-39757.yml
@@ -3,10 +3,8 @@ memory_corruption: no
 bug_class: OOM (Read)
 impact: Info Leak
 privileges_required: no
-notes:
-UAC3 class segment descriptors need to be verified whether their sizes
-match with the declared lengths and whether they fit with the
-allocated buffer sizes, too.  Otherwise malicious firmware may lead to
-the unexpected OOB accesses.
+notes: |
+  UAC3 class segment descriptors need to be verified to ensure their sizes
+  match the declared lengths and the allocated buffer sizes. Otherwise
+  malicious firmware may trigger unexpected out-of-bounds accesses.
 author: RedHat
-
diff --git a/vulns/CVE-2025-39761.yml b/vulns/CVE-2025-39761.yml
diff --git a/vulns/CVE-2025-39783.yml b/vulns/CVE-2025-39783.yml
