ALT-PU-2020-1646-3 — kernel-image-rpi-un

BDU:2020-01075

HIGH7.1

Уязвимость функции rwsem_down_write_slowpath (kernel/locking/rwsem.c) ядра операционной системы Linux, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании

Published: 2020-03-18Modified: 2024-05-30

CVSS 3.xHIGH 7.1

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVSS 2.0MEDIUM 6.2

CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:N/A:C

References

CVE-2020-9383

BDU:2020-01076

MEDIUM5.5

Уязвимость архитектуры AArch64 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-03-18Modified: 2025-01-29

CVSS 3.xMEDIUM 5.5

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2020-9391

BDU:2020-02425

MEDIUM6.7

Уязвимость функции mt76_add_fragment (drivers/net/wireless/mediatek/mt76/dma.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании и раскрыть защищаемую информацию

Published: 2020-05-29Modified: 2025-01-29

CVSS 3.xMEDIUM 6.7

CVSS:3.x/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2020-12465

BDU:2020-02430

MEDIUM5.5

Уязвимость функции svm_cpu_uninit (arch/x86/kvm/svm.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-05-29Modified: 2025-01-29

CVSS 3.xMEDIUM 5.5

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2020-12768

BDU:2020-02707

MEDIUM5.3

Уязвимость функции get_raw_socket (drivers/vhost/net.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-06-10Modified: 2024-05-30

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

CVSS 2.0MEDIUM 4.5

CVSS:2.0/AV:L/AC:H/Au:S/C:N/I:P/A:C

References

CVE-2020-10942

BDU:2020-03027

MEDIUM5.5

Уязвимость функции go7007_snd_init() (drivers/media/usb/go7007/snd-go7007.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-06-30Modified: 2024-05-31

CVSS 3.xMEDIUM 5.5

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2019-20810

BDU:2020-05548

HIGH7.0

Уязвимость функции kmem_cache_alloc_bulk (mm/slub.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-12-03Modified: 2024-09-13

CVSS 3.xHIGH 7.0

CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 6.0

CVSS:2.0/AV:L/AC:H/Au:S/C:C/I:C/A:C

References

CVE-2020-29370

BDU:2020-05551

HIGH8.2

Уязвимость компонента Filesystem Handler ядра операционных систем Linux, позволяющая нарушителю оказать влияние на целостность и конфиденциальность данных

Published: 2020-12-03Modified: 2025-01-29

CVSS 3.xHIGH 8.2

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS 2.0HIGH 8.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:C/A:N

References

CVE-2020-29373

BDU:2020-05792

HIGH7.8

Уязвимость реализации futex ядра операционной системы Linux, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2020-12-23Modified: 2024-05-30

CVSS 3.xHIGH 7.8

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2020-14381

BDU:2022-02515

HIGH8.4

Уязвимость функции vgem_gem_dumb_create ядра операционной системы Linux, позволяющая нарушителю выполнить произвольный код

Published: 2022-04-22Modified: 2024-11-07

CVSS 3.xHIGH 8.4

CVSS:3.x/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2022-1419

BDU:2022-03144

HIGH7.8

Уязвимость функции route4_change() (net/sched/cls_route.c) ядра операционной системы Linux, позволяющая нарушителю получить доступ к конфиденциальной информации или вызвать отказ в обслуживании

Published: 2022-05-26Modified: 2024-06-18

CVSS 3.xHIGH 7.8

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2021-3715

BDU:2022-04742

MEDIUM5.1

Уязвимость реализации вызова VT_RESIZEX ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2022-08-02Modified: 2024-09-13

CVSS 3.xMEDIUM 5.1

CVSS:3.x/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:C

References

CVE-2020-36558

BDU:2024-01190

MEDIUM5.3

Уязвимость функции snd_hdac_regmap_sync() в модуле sound/hda/hdac_regmap.c драйвера High-Definition Audio (HDA) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-02-13Modified: 2024-11-11

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H

CVSS 2.0LOW 3.8

CVSS:2.0/AV:L/AC:H/Au:S/C:N/I:N/A:C

References

CVE-2024-23196

BDU:2024-01196

MEDIUM5.3

Уязвимость реализации протокола HCI драйвера bluetooth ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-02-13Modified: 2025-05-06

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:A/AC:H/Au:N/C:N/I:N/A:C

References

CVE-2024-24860

BDU:2026-03971

HIGH7.1

Уязвимость функции tcindex_set_parms() модуля net/sched/cls_tcindex.c подсистемы управления трафиком net/sched ядра операционной системы Linux, позволяющая нарушителю получить доступ к защищаемой информации или вызвать отказ в обслуживании

Published: 2026-03-26

CVSS 3.xHIGH 7.1

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVSS 2.0MEDIUM 6.2

CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:N/A:C

References

CVE-2020-36791

CVE-2019-20810

MEDIUM5.5

go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.

Published: 2020-06-03Modified: 2024-11-21

CVSS 2.0MEDIUM 4.9

CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2020-10942

MEDIUM5.3

In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.

Published: 2020-03-24Modified: 2024-11-21

CVSS 2.0MEDIUM 5.4

CVSS:2.0/AV:L/AC:M/Au:N/C:N/I:P/A:C

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

References

CVE-2020-12465

MEDIUM6.7

An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.

Published: 2020-04-29Modified: 2024-11-21

CVSS 2.0HIGH 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS 3.xMEDIUM 6.7

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-12768

MEDIUM5.5

An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will

Published: 2020-05-09Modified: 2024-11-21

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2020-14381

HIGH7.8

A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Published: 2020-12-03Modified: 2026-02-25

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-29370

HIGH7.0

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.

Published: 2020-11-28Modified: 2024-11-21

CVSS 2.0MEDIUM 4.4

CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.0

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2020-29373

MEDIUM6.5

An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.

Published: 2020-11-28Modified: 2024-11-21

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

CVE-2020-36558

MEDIUM5.1

A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.

Published: 2022-07-21Modified: 2024-11-21

CVSS 3.xMEDIUM 5.1

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2020-36791

HIGH7.1

In the Linux kernel, the following vulnerability has been resolved: net_sched: keep alloc_hash updated after hash allocation In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash().

Published: 2025-05-07Modified: 2025-11-10

CVSS 3.xHIGH 7.1

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

CVE-2020-9383

HIGH7.1

An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.

Published: 2020-02-25Modified: 2024-11-21

CVSS 2.0LOW 3.6

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:P

CVSS 3.xHIGH 7.1

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

CVE-2020-9391

MEDIUM5.5

An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been observed to cause heap corruption with the GNU C Library malloc implementation.

Published: 2020-02-25Modified: 2024-11-21

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2021-3715

HIGH7.8

A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Published: 2022-03-02Modified: 2024-11-21

CVSS 2.0HIGH 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2022-1419

HIGH7.8

The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of drm_vgem_gem_object (created in vgem_gem_dumb_create) concurrently, and vgem_gem_dumb_create will access the freed drm_vgem_gem_object.

Published: 2022-06-02Modified: 2024-11-21

CVSS 2.0MEDIUM 4.6

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2024-23196

MEDIUM4.7

A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

Published: 2024-02-05Modified: 2024-11-21

CVSS 3.xMEDIUM 4.7

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2024-24860

MEDIUM5.3

A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

Published: 2024-02-05Modified: 2025-02-13

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Package update kernel-image-rpi-un in branch p9

Closed issues (30)

Уязвимость архитектуры AArch64 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции svm_cpu_uninit (arch/x86/kvm/svm.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции get_raw_socket (drivers/vhost/net.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции go7007_snd_init() (drivers/media/usb/go7007/snd-go7007.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции kmem_cache_alloc_bulk (mm/slub.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента Filesystem Handler ядра операционных систем Linux, позволяющая нарушителю оказать влияние на целостность и конфиденциальность данных

Уязвимость функции vgem_gem_dumb_create ядра операционной системы Linux, позволяющая нарушителю выполнить произвольный код

Уязвимость реализации вызова VT_RESIZEX ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции snd_hdac_regmap_sync() в модуле sound/hda/hdac_regmap.c драйвера High-Definition Audio (HDA) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость реализации протокола HCI драйвера bluetooth ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.

In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.

An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.

An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.

An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.

A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.

An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.

The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of drm_vgem_gem_object (created in vgem_gem_dumb_create) concurrently, and vgem_gem_dumb_create will access the freed drm_vgem_gem_object.

A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

Package update kernel-image-rpi-un in branch p9

Closed issues (30)

Уязвимость архитектуры AArch64 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции svm_cpu_uninit (arch/x86/kvm/svm.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции get_raw_socket (drivers/vhost/net.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции go7007_snd_init() (drivers/media/usb/go7007/snd-go7007.c) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции kmem_cache_alloc_bulk (mm/slub.c) ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента Filesystem Handler ядра операционных систем Linux, позволяющая нарушителю оказать влияние на целостность и конфиденциальность данных

Уязвимость функции vgem_gem_dumb_create ядра операционной системы Linux, позволяющая нарушителю выполнить произвольный код

Уязвимость реализации вызова VT_RESIZEX ядра операционных систем Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции snd_hdac_regmap_sync() в модуле sound/hda/hdac_regmap.c драйвера High-Definition Audio (HDA) ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость реализации протокола HCI драйвера bluetooth ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании

go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.

In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.

An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages.

An issue was discovered in the Linux kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ff297e. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.

An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.

A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.

An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.

The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.

A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of drm_vgem_gem_object (created in vgem_gem_dumb_create) concurrently, and vgem_gem_dumb_create will access the freed drm_vgem_gem_object.