data/5.18/5.18_security.txt - mirrors/github.com/nluedtke/linux_kernel_cves - Git at Google


 CVEs fixed in 5.18:
   CVE-2022-1729: 3ac6487e584a1eb54071dbe1212e05b884136704 perf: Fix sys_perf_event_open() race against self
   CVE-2022-1789: 9f46c187e2e680ecd9de7983e4d081c3391acc76 KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

 CVEs fixed in 5.18.1:
   CVE-2022-21499: eca56bf0066ef2f1e7be0e3fa7564b85a309872c lockdown: also lock down previous kgdb use

 CVEs fixed in 5.18.2:
   CVE-2022-1852: 02ea15c02befea2539d5f0d6b60ce8df88de418b KVM: x86: avoid calling x86 emulator without a decoded instruction
   CVE-2022-1966: 8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0 netfilter: nf_tables: disallow non-stateful expression in sets earlier
   CVE-2022-1972: c9a46a3d549286861259c19af4747e12cfaeece9 netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
   CVE-2022-2078: c9a46a3d549286861259c19af4747e12cfaeece9 netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
   CVE-2022-2503: 417c73db67ea7ad8f03dfd34c6b0bb5f54294fa9 dm verity: set DM_TARGET_IMMUTABLE feature flag
   CVE-2022-2873: 2a81133304e8c10e6afa03e59f1b11beaccc7153 i2c: ismt: prevent memory corruption in ismt_access()
   CVE-2022-2959: 71c603806614c6715165eed06099e24c2e41ad58 pipe: Fix missing lock in pipe_resize_ring()
   CVE-2022-3077: 2a81133304e8c10e6afa03e59f1b11beaccc7153 i2c: ismt: prevent memory corruption in ismt_access()
   CVE-2022-32250: 8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0 netfilter: nf_tables: disallow non-stateful expression in sets earlier

 CVEs fixed in 5.18.3:
   CVE-2022-1184: 298659c0e7074f774a794fc293df4014617b87be ext4: verify dir block before splitting it
   CVE-2022-1973: 2aafbe9fb210a355d6e0e92a91f294dee80e5d44 fs/ntfs3: Fix invalid free in log_replay

 CVEs fixed in 5.18.4:
   CVE-2022-32981: 7764a258356c454fe56b9f56fc07c0e146a3bccb powerpc/32: Fix overread/overwrite of thread_struct via ptrace
   CVE-2022-34494: d51720ac069d465101d937273acecde1f71ea411 rpmsg: virtio: Fix possible double free in rpmsg_virtio_add_ctrl_dev()
   CVE-2022-34495: b7e88e4bb41dea89b1dadf7a985d7aff53720629 rpmsg: virtio: Fix possible double free in rpmsg_probe()

 CVEs fixed in 5.18.5:
   CVE-2022-21123: bc4d37b2338a32a6668d94803feebc9cbc85572e x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data
   CVE-2022-21125: dce28a791e9632f96ba018f2ef708e012edb4133 x86/speculation/mmio: Reuse SRBDS mitigation for SBDS
   CVE-2022-21166: 8547d4ae6a95543b69d523f3706dbf887496e9f3 x86/speculation/mmio: Enable CPU Fill buffer clearing on idle

 CVEs fixed in 5.18.6:
   CVE-2022-1976: bba36a27c38650eefc79d18c33a0acd0dcbeabb8 io_uring: reinstate the inflight tracking

 CVEs fixed in 5.18.10:
   CVE-2022-2318: 570b99c2e1508708c4a32a58f98071fbc3c2c351 net: rose: fix UAF bugs caused by timer handler
   CVE-2022-26365: 62b5d188a270a25138a88c18409c596c1406b993 xen/blkfront: fix leaking data in shared pages
   CVE-2022-33740: 6d98cf6e58b5867225c3b4ea49bc431895ef33f0 xen/netfront: fix leaking data in shared pages
   CVE-2022-33741: 3893cd0fec5e80e8d1c681794ee43167eb799e4d xen/netfront: force data bouncing when backend is untrusted
   CVE-2022-33742: 3ebaa2c13f680889c4fb9f090b243499d25017d0 xen/blkfront: force data bouncing when backend is untrusted
   CVE-2022-33743: a74adaffc8db86b4dbdd98762deff70b155b0f4d xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()
   CVE-2022-33744: efd9826d4c08abac7e8840757e3e1bfcf2876f70 xen/arm: Fix race in RB-tree based P2M accounting

 CVEs fixed in 5.18.11:
   CVE-2021-33655: 9ae8c4f7fb45641294e9bd3b243d4ff472796ae7 fbcon: Disallow setting font bigger than screen size
   CVE-2022-34918: 6b7488071ea8ed6265a39afebd5a5920f6975d02 netfilter: nf_tables: stricter validation of element data

 CVEs fixed in 5.18.13:
   CVE-2022-1462: fa3302714c03e4e6c9b5aad5dacae33e75f76cf7 tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
   CVE-2022-36123: 2334bdfc2da469c9807767002a2831274b82c39a x86: Clear .brk area at early boot

 CVEs fixed in 5.18.14:
   CVE-2022-23816: e492002673b03c636d2297fb869d68ae545c41c4 x86/kvm/vmx: Make noinstr clean
   CVE-2022-29900: e492002673b03c636d2297fb869d68ae545c41c4 x86/kvm/vmx: Make noinstr clean
   CVE-2022-29901: e492002673b03c636d2297fb869d68ae545c41c4 x86/kvm/vmx: Make noinstr clean

 CVEs fixed in 5.18.15:
   CVE-2022-1882: 49cbb4820e4f1895130755732485afb2d18508f9 watchqueue: make sure to serialize 'wqueue->defunct' properly
   CVE-2022-21505: f67ff524f283183c52d2575b11beec00cc4d5092 lockdown: Fix kexec lockdown bypass with ima policy
   CVE-2022-36879: 70f5e35cd5e38017653ed1ca0f7a4ab6d5c5a794 xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()

 CVEs fixed in 5.18.16:
   CVE-2022-36946: 883c20911d6261fc651820b63a77327b8c020264 netfilter: nf_queue: do not allow packet truncation below transport header offset

 CVEs fixed in 5.18.17:
   CVE-2022-26373: 0abdbbd9ae9c81615836278d787a8c8dcd576c36 x86/speculation: Add RSB VM Exit protections
   CVE-2022-39189: 719492d2bc3b99c067076bddc62e63cda8ad16e2 KVM: x86: do not report a vCPU as preempted outside instruction boundaries

 CVEs fixed in 5.18.18:
   CVE-2022-1679: 6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6 ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
   CVE-2022-20422: 6a2fd114678d7fc1b5a0f8865ae98f1c17787455 arm64: fix oops in concurrently setting insn_emulation sysctls
   CVE-2022-2585: e8cb6e8fd9890780f1bfcf5592889e1b879e779c posix-cpu-timers: Cleanup CPU timers before freeing them during exec
   CVE-2022-2586: f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f netfilter: nf_tables: do not allow SET_ID to refer to another table
   CVE-2022-2588: e832c26e7edfa2ddbd2dcdd48016d13d747de6da net_sched: cls_route: remove from list when handle is 0

 Outstanding CVEs:
   CVE-2005-3660: (unk)
   CVE-2007-3719: (unk)
   CVE-2008-2544: (unk)
   CVE-2008-4609: (unk)
   CVE-2010-4563: (unk)
   CVE-2010-5321: (unk)
   CVE-2011-4916: (unk)
   CVE-2011-4917: (unk)
   CVE-2012-4542: (unk)
   CVE-2013-7445: (unk)
   CVE-2015-2877: (unk)
   CVE-2016-8660: (unk)
   CVE-2017-13693: (unk)
   CVE-2017-13694: (unk)
   CVE-2018-1121: (unk)
   CVE-2018-12928: (unk)
   CVE-2018-12929: (unk)
   CVE-2018-12930: (unk)
   CVE-2018-12931: (unk)
   CVE-2018-17977: (unk)
   CVE-2019-12456: (unk)
   CVE-2019-15239: (unk) unknown
   CVE-2019-15290: (unk)
   CVE-2019-15902: (unk) unknown
   CVE-2019-16089: (unk)
   CVE-2019-19378: (unk)
   CVE-2019-19814: (unk)
   CVE-2019-20794: (unk)
   CVE-2020-0347: (unk)
   CVE-2020-10708: (unk)
   CVE-2020-11725: (unk)
   CVE-2020-14304: (unk)
   CVE-2020-15802: (unk)
   CVE-2020-24502: (unk)
   CVE-2020-24503: (unk)
   CVE-2020-25220: (unk)
   CVE-2020-26140: (unk)
   CVE-2020-26142: (unk)
   CVE-2020-26143: (unk)
   CVE-2020-26556: (unk)
   CVE-2020-26557: (unk)
   CVE-2020-26559: (unk)
   CVE-2020-26560: (unk)
   CVE-2020-35501: (unk)
   CVE-2020-36516: (unk)
   CVE-2021-0399: (unk)
   CVE-2021-0695: (unk)
   CVE-2021-26934: (unk)
   CVE-2021-3542: (unk)
   CVE-2021-3714: (unk)
   CVE-2021-3847: (unk)
   CVE-2021-3864: (unk)
   CVE-2021-3892: (unk)
   CVE-2021-39800: (unk)
   CVE-2021-39801: (unk)
   CVE-2021-39802: (unk)
   CVE-2022-0400: (unk)
   CVE-2022-1116: (unk)
   CVE-2022-1247: (unk)
   CVE-2022-20421: (unk) binder: fix UAF of ref->proc caused by race condition
   CVE-2022-2209: (unk)
   CVE-2022-2308: (unk) vduse: prevent uninitialized memory accesses
   CVE-2022-23825: (unk)
   CVE-2022-25265: (unk)
   CVE-2022-2590: (unk) mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
   CVE-2022-2663: (unk) netfilter: nf_conntrack_irc: Fix forged IP logic
   CVE-2022-26878: (unk)
   CVE-2022-2785: (unk) bpf: Disallow bpf programs call prog_run command.
   CVE-2022-2905: (unk) bpf: Don't use tnum_range on array range checking for poke descriptors
   CVE-2022-2961: (unk)
   CVE-2022-2978: (unk)
   CVE-2022-3028: (unk) af_key: Do not call xfrm_probe_algs in parallel
   CVE-2022-3169: (unk)
   CVE-2022-3303: (unk) ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
   CVE-2022-3424: (unk)
   CVE-2022-3435: (unk)
   CVE-2022-36280: (unk)
   CVE-2022-36402: (unk)
   CVE-2022-38096: (unk)
   CVE-2022-38457: (unk)
   CVE-2022-39188: (unk) mmu_gather: Force tlb-flush VM_PFNMAP vmas
   CVE-2022-39190: (unk) netfilter: nf_tables: disallow binding to already bound chain
   CVE-2022-39842: (unk) video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
   CVE-2022-40133: (unk)
   CVE-2022-40307: (unk) efi: capsule-loader: Fix use-after-free in efi_capsule_write
   CVE-2022-40768: (unk) scsi: stex: Properly zero out the passthrough command structure
   CVE-2022-41218: (unk)
   CVE-2022-41848: (unk)
   CVE-2022-41849: (unk)
   CVE-2022-41850: (unk)
   CVE-2022-42703: (unk) mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse

	CVEs fixed in 5.18:
	CVE-2022-1729: 3ac6487e584a1eb54071dbe1212e05b884136704 perf: Fix sys_perf_event_open() race against self
	CVE-2022-1789: 9f46c187e2e680ecd9de7983e4d081c3391acc76 KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

	CVEs fixed in 5.18.1:
	CVE-2022-21499: eca56bf0066ef2f1e7be0e3fa7564b85a309872c lockdown: also lock down previous kgdb use

	CVEs fixed in 5.18.2:
	CVE-2022-1852: 02ea15c02befea2539d5f0d6b60ce8df88de418b KVM: x86: avoid calling x86 emulator without a decoded instruction
	CVE-2022-1966: 8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0 netfilter: nf_tables: disallow non-stateful expression in sets earlier
	CVE-2022-1972: c9a46a3d549286861259c19af4747e12cfaeece9 netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
	CVE-2022-2078: c9a46a3d549286861259c19af4747e12cfaeece9 netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
	CVE-2022-2503: 417c73db67ea7ad8f03dfd34c6b0bb5f54294fa9 dm verity: set DM_TARGET_IMMUTABLE feature flag
	CVE-2022-2873: 2a81133304e8c10e6afa03e59f1b11beaccc7153 i2c: ismt: prevent memory corruption in ismt_access()
	CVE-2022-2959: 71c603806614c6715165eed06099e24c2e41ad58 pipe: Fix missing lock in pipe_resize_ring()
	CVE-2022-3077: 2a81133304e8c10e6afa03e59f1b11beaccc7153 i2c: ismt: prevent memory corruption in ismt_access()
	CVE-2022-32250: 8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0 netfilter: nf_tables: disallow non-stateful expression in sets earlier

	CVEs fixed in 5.18.3:
	CVE-2022-1184: 298659c0e7074f774a794fc293df4014617b87be ext4: verify dir block before splitting it
	CVE-2022-1973: 2aafbe9fb210a355d6e0e92a91f294dee80e5d44 fs/ntfs3: Fix invalid free in log_replay

	CVEs fixed in 5.18.4:
	CVE-2022-32981: 7764a258356c454fe56b9f56fc07c0e146a3bccb powerpc/32: Fix overread/overwrite of thread_struct via ptrace
	CVE-2022-34494: d51720ac069d465101d937273acecde1f71ea411 rpmsg: virtio: Fix possible double free in rpmsg_virtio_add_ctrl_dev()
	CVE-2022-34495: b7e88e4bb41dea89b1dadf7a985d7aff53720629 rpmsg: virtio: Fix possible double free in rpmsg_probe()

	CVEs fixed in 5.18.5:
	CVE-2022-21123: bc4d37b2338a32a6668d94803feebc9cbc85572e x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data
	CVE-2022-21125: dce28a791e9632f96ba018f2ef708e012edb4133 x86/speculation/mmio: Reuse SRBDS mitigation for SBDS
	CVE-2022-21166: 8547d4ae6a95543b69d523f3706dbf887496e9f3 x86/speculation/mmio: Enable CPU Fill buffer clearing on idle

	CVEs fixed in 5.18.6:
	CVE-2022-1976: bba36a27c38650eefc79d18c33a0acd0dcbeabb8 io_uring: reinstate the inflight tracking

	CVEs fixed in 5.18.10:
	CVE-2022-2318: 570b99c2e1508708c4a32a58f98071fbc3c2c351 net: rose: fix UAF bugs caused by timer handler
	CVE-2022-26365: 62b5d188a270a25138a88c18409c596c1406b993 xen/blkfront: fix leaking data in shared pages
	CVE-2022-33740: 6d98cf6e58b5867225c3b4ea49bc431895ef33f0 xen/netfront: fix leaking data in shared pages
	CVE-2022-33741: 3893cd0fec5e80e8d1c681794ee43167eb799e4d xen/netfront: force data bouncing when backend is untrusted
	CVE-2022-33742: 3ebaa2c13f680889c4fb9f090b243499d25017d0 xen/blkfront: force data bouncing when backend is untrusted
	CVE-2022-33743: a74adaffc8db86b4dbdd98762deff70b155b0f4d xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()
	CVE-2022-33744: efd9826d4c08abac7e8840757e3e1bfcf2876f70 xen/arm: Fix race in RB-tree based P2M accounting

	CVEs fixed in 5.18.11:
	CVE-2021-33655: 9ae8c4f7fb45641294e9bd3b243d4ff472796ae7 fbcon: Disallow setting font bigger than screen size
	CVE-2022-34918: 6b7488071ea8ed6265a39afebd5a5920f6975d02 netfilter: nf_tables: stricter validation of element data

	CVEs fixed in 5.18.13:
	CVE-2022-1462: fa3302714c03e4e6c9b5aad5dacae33e75f76cf7 tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
	CVE-2022-36123: 2334bdfc2da469c9807767002a2831274b82c39a x86: Clear .brk area at early boot

	CVEs fixed in 5.18.14:
	CVE-2022-23816: e492002673b03c636d2297fb869d68ae545c41c4 x86/kvm/vmx: Make noinstr clean
	CVE-2022-29900: e492002673b03c636d2297fb869d68ae545c41c4 x86/kvm/vmx: Make noinstr clean
	CVE-2022-29901: e492002673b03c636d2297fb869d68ae545c41c4 x86/kvm/vmx: Make noinstr clean

	CVEs fixed in 5.18.15:
	CVE-2022-1882: 49cbb4820e4f1895130755732485afb2d18508f9 watchqueue: make sure to serialize 'wqueue->defunct' properly
	CVE-2022-21505: f67ff524f283183c52d2575b11beec00cc4d5092 lockdown: Fix kexec lockdown bypass with ima policy
	CVE-2022-36879: 70f5e35cd5e38017653ed1ca0f7a4ab6d5c5a794 xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()

	CVEs fixed in 5.18.16:
	CVE-2022-36946: 883c20911d6261fc651820b63a77327b8c020264 netfilter: nf_queue: do not allow packet truncation below transport header offset

	CVEs fixed in 5.18.17:
	CVE-2022-26373: 0abdbbd9ae9c81615836278d787a8c8dcd576c36 x86/speculation: Add RSB VM Exit protections
	CVE-2022-39189: 719492d2bc3b99c067076bddc62e63cda8ad16e2 KVM: x86: do not report a vCPU as preempted outside instruction boundaries

	CVEs fixed in 5.18.18:
	CVE-2022-1679: 6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6 ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
	CVE-2022-20422: 6a2fd114678d7fc1b5a0f8865ae98f1c17787455 arm64: fix oops in concurrently setting insn_emulation sysctls
	CVE-2022-2585: e8cb6e8fd9890780f1bfcf5592889e1b879e779c posix-cpu-timers: Cleanup CPU timers before freeing them during exec
	CVE-2022-2586: f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f netfilter: nf_tables: do not allow SET_ID to refer to another table
	CVE-2022-2588: e832c26e7edfa2ddbd2dcdd48016d13d747de6da net_sched: cls_route: remove from list when handle is 0

	Outstanding CVEs:
	CVE-2005-3660: (unk)
	CVE-2007-3719: (unk)
	CVE-2008-2544: (unk)
	CVE-2008-4609: (unk)
	CVE-2010-4563: (unk)
	CVE-2010-5321: (unk)
	CVE-2011-4916: (unk)
	CVE-2011-4917: (unk)
	CVE-2012-4542: (unk)
	CVE-2013-7445: (unk)
	CVE-2015-2877: (unk)
	CVE-2016-8660: (unk)
	CVE-2017-13693: (unk)
	CVE-2017-13694: (unk)
	CVE-2018-1121: (unk)
	CVE-2018-12928: (unk)
	CVE-2018-12929: (unk)
	CVE-2018-12930: (unk)
	CVE-2018-12931: (unk)
	CVE-2018-17977: (unk)
	CVE-2019-12456: (unk)
	CVE-2019-15239: (unk) unknown
	CVE-2019-15290: (unk)
	CVE-2019-15902: (unk) unknown
	CVE-2019-16089: (unk)
	CVE-2019-19378: (unk)
	CVE-2019-19814: (unk)
	CVE-2019-20794: (unk)
	CVE-2020-0347: (unk)
	CVE-2020-10708: (unk)
	CVE-2020-11725: (unk)
	CVE-2020-14304: (unk)
	CVE-2020-15802: (unk)
	CVE-2020-24502: (unk)
	CVE-2020-24503: (unk)
	CVE-2020-25220: (unk)
	CVE-2020-26140: (unk)
	CVE-2020-26142: (unk)
	CVE-2020-26143: (unk)
	CVE-2020-26556: (unk)
	CVE-2020-26557: (unk)
	CVE-2020-26559: (unk)
	CVE-2020-26560: (unk)
	CVE-2020-35501: (unk)
	CVE-2020-36516: (unk)
	CVE-2021-0399: (unk)
	CVE-2021-0695: (unk)
	CVE-2021-26934: (unk)
	CVE-2021-3542: (unk)
	CVE-2021-3714: (unk)
	CVE-2021-3847: (unk)
	CVE-2021-3864: (unk)
	CVE-2021-3892: (unk)
	CVE-2021-39800: (unk)
	CVE-2021-39801: (unk)
	CVE-2021-39802: (unk)
	CVE-2022-0400: (unk)
	CVE-2022-1116: (unk)
	CVE-2022-1247: (unk)
	CVE-2022-20421: (unk) binder: fix UAF of ref->proc caused by race condition
	CVE-2022-2209: (unk)
	CVE-2022-2308: (unk) vduse: prevent uninitialized memory accesses
	CVE-2022-23825: (unk)
	CVE-2022-25265: (unk)
	CVE-2022-2590: (unk) mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
	CVE-2022-2663: (unk) netfilter: nf_conntrack_irc: Fix forged IP logic
	CVE-2022-26878: (unk)
	CVE-2022-2785: (unk) bpf: Disallow bpf programs call prog_run command.
	CVE-2022-2905: (unk) bpf: Don't use tnum_range on array range checking for poke descriptors
	CVE-2022-2961: (unk)
	CVE-2022-2978: (unk)
	CVE-2022-3028: (unk) af_key: Do not call xfrm_probe_algs in parallel
	CVE-2022-3169: (unk)
	CVE-2022-3303: (unk) ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
	CVE-2022-3424: (unk)
	CVE-2022-3435: (unk)
	CVE-2022-36280: (unk)
	CVE-2022-36402: (unk)
	CVE-2022-38096: (unk)
	CVE-2022-38457: (unk)
	CVE-2022-39188: (unk) mmu_gather: Force tlb-flush VM_PFNMAP vmas
	CVE-2022-39190: (unk) netfilter: nf_tables: disallow binding to already bound chain
	CVE-2022-39842: (unk) video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
	CVE-2022-40133: (unk)
	CVE-2022-40307: (unk) efi: capsule-loader: Fix use-after-free in efi_capsule_write
	CVE-2022-40768: (unk) scsi: stex: Properly zero out the passthrough command structure
	CVE-2022-41218: (unk)
	CVE-2022-41848: (unk)
	CVE-2022-41849: (unk)
	CVE-2022-41850: (unk)
	CVE-2022-42703: (unk) mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse