A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4823 advisory.

    * kernel: vmwgfx: multiple flaws (CVE-2022-36402, CVE-2022-40133, CVE-2022-38457, CVE-2023-5633)

    * kernel: nftables: (CVE-2024-26581)

    * kernel: uio: (CVE-2023-52439)

    * kernel: smb: (CVE-2023-52434)

    * kernel: intel: (CVE-2023-52450)

    * kernel: net: multiple flaws (CVE-2023-52578, CVE-2024-36978, CVE-2022-48743)

    * kernel: Bluetooth: (CVE-2023-52518)

    * kernel: netfilter: multiple flaws (CVE-2024-26668, CVE-2024-26808, CVE-2024-26925, CVE-2024-27020,     CVE-2024-27019, CVE-2024-27016, CVE-2024-27065, CVE-2024-35899, CVE-2024-35897)

    * kernel: hv_netvsc: (CVE-2024-26698)

    * kernel: ext4: multiple flaws (CVE-2024-26704, CVE-2024-26773)

    * kernel: net/sched: (CVE-2024-26739)

    * kernel: vfio/pci: (CVE-2024-26810)

    * kernel: dm: (CVE-2024-26880)

    * kernel: x86/xen: (CVE-2024-26908)

    * kernel: af_unix: multiple flaws (CVE-2024-26923, CVE-2024-38596)

    * kernel: scsi: multiple flaws (CVE-2024-26931, CVE-2024-26929, CVE-2023-52811, CVE-2024-36025,     CVE-2024-36924, CVE-2024-36952)

    * kernel: Squashfs: (CVE-2024-26982)

    * kernel: KVM: (CVE-2024-35791)

    * kernel: ipv6: (CVE-2024-27417)

    * kernel: drm/client: (CVE-2024-35950)

    * kernel: sched/psi: (CVE-2023-52707)

    * kernel: can: (CVE-2021-47459)

    * kernel: tcp: (CVE-2024-36904)

    * kernel: tls: (CVE-2024-36489)

    * The kernel packages contain the Linux kernel, the core of any Linux operating system.

    * Security Fix(es):

    * * kernel: vmwgfx: race condition leading to information disclosure vulnerability     (CVE-2023-33951,ZDI-23-707,ZDI-CAN-20110)

    * * kernel: vmwgfx: double free within the handling of vmw_buffer_object objects     (CVE-2023-33952,ZDI-23-708,ZDI-CAN-20292)

    * * kernel: stack overflow problem in Open vSwitch kernel module leading to DoS (CVE-2024-1151)

    * For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4831 advisory.

    The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with     extremely high determinism requirements.
    Security Fix(es):

    * kernel: vmwgfx: multiple flaws (CVE-2022-36402, CVE-2022-40133, CVE-2022-38457, CVE-2023-5633)

    * kernel: nftables: (CVE-2024-26581)

    * kernel: uio: (CVE-2023-52439)

    * kernel: smb: (CVE-2023-52434)

    * kernel: intel: (CVE-2023-52450)

    * kernel: net: multiple flaws (CVE-2023-52578, CVE-2024-36978, CVE-2022-48743)

    * kernel: Bluetooth: (CVE-2023-52518)

    * kernel: netfilter: multiple flaws (CVE-2024-26668, CVE-2024-26808, CVE-2024-26925, CVE-2024-27020,     CVE-2024-27019, CVE-2024-27016, CVE-2024-27065, CVE-2024-35899, CVE-2024-35897)

    * kernel: hv_netvsc: (CVE-2024-26698)

    * kernel: ext4: multiple flaws (CVE-2024-26704, CVE-2024-26773)

    * kernel: net/sched: (CVE-2024-26739)

    * kernel: vfio/pci: (CVE-2024-26810)

    * kernel: dm: (CVE-2024-26880)

    * kernel: af_unix: multiple flaws (CVE-2024-26923, CVE-2024-38596)

    * kernel: scsi: multiple flaws (CVE-2024-26931, CVE-2024-26929, CVE-2023-52811, CVE-2024-36025,     CVE-2024-36924, CVE-2024-36952)

    * kernel: Squashfs: (CVE-2024-26982)

    * kernel: KVM: (CVE-2024-35791)

    * kernel: ipv6: (CVE-2024-27417)

    * kernel: drm/client: (CVE-2024-35950)

    * kernel: sched/psi: (CVE-2023-52707)

    * kernel: can: (CVE-2021-47459)

    * kernel: tcp: (CVE-2024-36904)

    * kernel: tls: (CVE-2024-36489)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6583 advisory.

  - Kernel: race when faulting a device private page in memory manager (CVE-2022-3523)

  - kernel: use-after-free in l1oip timer handlers (CVE-2022-3565)

  - kernel: Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594)

  - kernel: vmwgfx: use-after-free in vmw_cmd_res_check (CVE-2022-38457)

  - kernel: vmwgfx: use-after-free in vmw_execbuf_tie_context (CVE-2022-40133)

  - hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982)

  - kernel: Information leak in l2cap_parse_conf_req in net/bluetooth/l2cap_core.c (CVE-2022-42895)

  - kernel: x86/mm: Randomize per-cpu entry area (CVE-2023-0597)

  - kernel: HID: check empty report_list in hid_validate_values() (CVE-2023-1073)

  - kernel: sctp: fail if no bound addresses can be used for a given scope (CVE-2023-1074)

  - kernel: net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075)

  - kernel: tap: tap_open(): correctly initialize socket uid (CVE-2023-1076)

  - kernel: hid: Use After Free in asus_remove() (CVE-2023-1079)

  - kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

  - kernel: missing mmap_lock in file_files_note that could possibly lead to a use after free in the coredump     code (CVE-2023-1249)

  - kernel: ovl: fix use after free in struct ovl_aio_req (CVE-2023-1252)

  - Kernel: use-after-free in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c (CVE-2023-1652)

  - kernel: use-after-free bug in remove function xgene_hwmon_remove (CVE-2023-1855)

  - kernel: Use after free bug in btsdio_remove due to race condition (CVE-2023-1989)

  - kernel:  A possible deadlock in dm_get_inactive_table in dm- ioctl.c leads to dos (CVE-2023-2269)

  - kernel: Use after free bug in r592_remove (CVE-2023-3141)

  - kernel: fbcon: shift-out-of-bounds in fbcon_set_font() (CVE-2023-3161)

  - kernel: gfs2: NULL pointer dereference in gfs2_evict_inode() (CVE-2023-3212)

  - kernel: out-of-bounds access in relay_file_read (CVE-2023-3268)

  - kernel: NULL pointer dereference due to missing kalloc() return value check in shtp_cl_get_dma_send_buf()     (CVE-2023-3358)

  - kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

  - kernel: xfrm: NULL pointer dereference in xfrm_update_ae_params() (CVE-2023-3772)

  - kernel: xfrm: out-of-bounds read of XFRMA_MTIMER_THRESH nlattr (CVE-2023-3773)

  - kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability (CVE-2023-4155)

  - kernel: tap: tap_open(): correctly initialize socket uid next fix of i_uid to current_fsuid     (CVE-2023-4194)

  - kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and     cls_route (CVE-2023-4206, CVE-2023-4207, CVE-2023-4208)

  - kernel: exFAT: stack overflow in exfat_get_uniname_from_ext_entry (CVE-2023-4273)

  - kernel: mpls: double free on sysctl allocation failure (CVE-2023-26545)

  - kernel: KVM: nVMX: missing consistency checks for CR0 and CR4 (CVE-2023-30456)

  - kernel: net: qcom/emac: race condition leading to use-after-free in emac_remove() (CVE-2023-33203)

  - kernel: vmwgfx: race condition leading to information disclosure vulnerability (CVE-2023-33951)

  - kernel: vmwgfx: double free within the handling of vmw_buffer_object objects (CVE-2023-33952)

  - kernel: r592: race condition leading to use-after-free in r592_remove() (CVE-2023-35825)

  - kernel: eBPF: insufficient stack type checks in dynptr (CVE-2023-39191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1404 advisory.

    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es):

    * kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in     drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c (CVE-2021-43975)

    * kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c (CVE-2022-28388)

    * kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (CVE-2022-41858)

    * kernel: Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594)

    * kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

    * kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

    * kernel: denial of service in tipc_conn_close (CVE-2023-1382)

    * kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow (CVE-2023-28772)

    * kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

    * kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

    * kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

    * kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

    * kernel: Out-Of-Bounds Read vulnerability in smbCalcSize (CVE-2023-6606)

    * kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as     destination (CVE-2024-0646)

    * kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

    * kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

    Bug Fix(es):

    * The kernel is still getting hung up even after converting kernfs_mutex to kernfs_rwsem with massive     concurrent kernfs access (open & lookup) performed by kubelet/node_exporter threads. (JIRA:RHEL-17149)

    * kernel: Rate limit overflow messages in r8152 in intr_callback (JIRA:RHEL-18810)

    * kernel: tun: avoid double free in tun_free_netdev (JIRA:RHEL-18813)

    * kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow (JIRA:RHEL-18850)

    * kernel: NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19461)

    * ipoib mcast lockup fix (JIRA:RHEL-19698)

    * kernel: denial of service in tipc_conn_close (JIRA:RHEL-18824)

    * Rhel-8.6 crash at  qed_get_current_link+0x11 during tx_timeout recovery  (JIRA:RHEL-20923)

    * kernel: use-after-free in sch_qfq network scheduler (JIRA:RHEL-14402)

    * RHEL8.6 - s390/qeth: NET2016 - fix use-after-free in HSCI (JIRA:RHEL-15849)

    * RHEL8.6 - s390/qeth: recovery and set offline lose routes and IPv6 addr (JIRA:RHEL-17883)

    * kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (JIRA:RHEL-18582)

    * kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in     drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c (JIRA:RHEL-18799)

    * kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c (JIRA:RHEL-18814)

    * kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-18998)

    * dm multipath device suspend deadlocks waiting on a flush request (JIRA:RHEL-19110)

    * kernel: Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19327)

    * kernel: A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19451)

    * [RHEL8] I/O blocked during fio background with IO schedule switch, cpu offline/online, pci nvme     rescan/reset (JIRA:RHEL-20231)

    * kernel: refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20298)

    * kernel: inactive elements in nft_pipapo_walk (JIRA:RHEL-20697)

    * kernel: Out-Of-Bounds Read vulnerability in smbCalcSize (JIRA:RHEL-21661)

    * kernel NULL pointer at RIP: 0010:kyber_has_work+0x1c/0x60 (JIRA:RHEL-21784)

    * kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as     destination (JIRA:RHEL-22090)

    * backport timerlat user-space support (JIRA:RHEL-20361)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0930 advisory.

    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es):

    * kernel: GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546)

    * kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory (CVE-2021-33655)

    * kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks     (CVE-2022-2196)

    * kernel: media: em28xx: initialize refcount before kref_get (CVE-2022-3239)

    * kernel: use-after-free after failed devlink reload in devlink_param_get (CVE-2022-3625)

    * kernel: net/packet: slab-out-of-bounds access in packet_recvmsg() (CVE-2022-20368)

    * hw: cpu: arm64: Spectre-BHB (CVE-2022-23960)

    * kernel: use-after-free due to improper update of reference count in net/sched/cls_u32.c (CVE-2022-29581)

    * kernel: vmwgfx: integer overflow in vmwgfx_execbuf.c (CVE-2022-36402)

    * kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

    * kernel: vmwgfx: use-after-free in vmw_cmd_res_check (CVE-2022-38457)

    * kernel: vmwgfx: use-after-free in vmw_execbuf_tie_context (CVE-2022-40133)

    * kernel: sctp: fail if no bound addresses can be used for a given scope (CVE-2023-1074)

    * kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size     (CVE-2023-6931)

    * kernel: KVM: nVMX: missing consistency checks for CR0 and CR4 (CVE-2023-30456)

    * kernel: blocking operation in dvb_frontend_get_event and wait_event_interruptible (CVE-2023-31084)

    * kernel: use-after-free in amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c     (CVE-2023-51042)

    * kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-7077 advisory.

  - qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write     because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)

  - A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In     this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on     hdev devices. (CVE-2023-1989)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. When u32_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
    (CVE-2023-4208)

  - An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a     blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is     called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event,     down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and     down(&fepriv->sem) may block the process. (CVE-2023-31084)

  - A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this     flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement     referencing pmd_t x. (CVE-2023-4732)

  - A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using     SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke     the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can     trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel     configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)

  - A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this     vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The     manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to     apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
    (CVE-2022-3594)

  - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The     resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be     used to leak the contents. We recommend upgrading past version 6.1.8 or commit     739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result     struct is always copied into the new instance of the filter. This causes a problem when updating a filter     bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,     decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-     free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)

  - Information exposure through microarchitectural state after transient execution in certain vector     execution units for some Intel(R) Processors may allow an authenticated user to potentially enable     information disclosure via local access. (CVE-2022-40982)

  - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may     occur when a user starts a malicious networking service and someone connects to this service. This could     allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)

  - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,     potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field     that overlaps with rec->tx_ready. (CVE-2023-1075)

  - A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware     Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system     due to a race problem. This vulnerability could even lead to a kernel information leak problem.
    (CVE-2023-1855)

  - The Linux kernel allows userspace processes to enable mitigations by calling prctl with     PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed     that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to     attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be     observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened     because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that     STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
    However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons,     which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target     injection against which STIBP protects. (CVE-2023-1998)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial     of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition     rather than valid classification results). (CVE-2023-23455)

  - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure     (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)

  - A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to     cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the     TDP MMU are enabled. (CVE-2022-45869)

  - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when     plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to     the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED     controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led     structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
    (CVE-2023-1079)

  - A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the     extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system     crash or other undefined behaviors. (CVE-2023-2513)

  - A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the     Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading     to a kernel information leak. (CVE-2023-3141)

  - An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in     kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel     internal information. (CVE-2023-3268)

  - A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function     l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads     to use after free. It is recommended to apply a patch to fix this issue. The identifier of this     vulnerability is VDB-211944. (CVE-2022-3640)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited     to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-     of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend     upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in     drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a     crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)

  - A double-free flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user     registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw     allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-4744)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req     function which can be used to leak kernel pointers remotely. We recommend upgrading past commit     https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e     https://www.google.com/url (CVE-2022-42895)

  - A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was     found in the way user can guess location of exception stack(s) or other important data. A local user could     use this flaw to get access to some important data with expected location in memory. (CVE-2023-0597)

  - A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on     corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it     has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
    (CVE-2023-3212)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return     an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
    (CVE-2023-3609)

  - An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in     drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)

  - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the     way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate     their privileges on the system. (CVE-2023-1118)

  - A use-after-free flaw was found in the Linux kernel's Ext4 File System in how a user triggers several file     operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially     escalate their privileges on the system. Only if patch 9a2544037600 (ovl: fix use after free in struct     ovl_aio_req) not applied yet, the kernel could be affected. (CVE-2023-1252)

  - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double     free. (CVE-2022-28388)

  - An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a     memory leak because of the lack of a dvb_frontend_detach call. (CVE-2022-45887)

  - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race     problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (net: sched: fix race     condition in qdisc_graft()) not applied yet, then kernel could be affected. (CVE-2023-0590)

  - A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6     functionality when a user makes a new kind of SYN flood attack. A user located in the local network or     with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up     to 95%. (CVE-2023-1206)

  - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This     issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc     protocol in the Linux kernel. (CVE-2023-1382)

  - A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs     during device initialization when the siano device is plugged in. This flaw allows a local user to crash     the system, causing a denial of service condition. (CVE-2023-4132)

  - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer     overflow. (CVE-2023-28772)

  - An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64     lacks consistency checks for CR0 and CR4. (CVE-2023-30456)

  - The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in     drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
    (CVE-2023-33203)

  - A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within     the handling of GEM objects. The issue results from improper locking when performing operations on an     object. This flaw allows a local privileged user to disclose information in the context of the kernel.
    (CVE-2023-33951)

  - An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in     drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)

  - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a     user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their     privileges on the system. (CVE-2023-1073)

  - A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and     font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds     occurs leading to undefined behavior and possible denial of service. (CVE-2023-3161)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in     the Linux Kernel. The message from user space is not checked properly before transferring into the device.
    This flaw allows a local user to crash the system or potentially cause a denial of service.
    (CVE-2023-28328)

  - A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the     handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an     object prior to performing further free operations on the object. This flaw allows a local privileged user     to escalate privileges and execute code in the context of the kernel. (CVE-2023-33952)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-6583 advisory.

  - A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this     vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The     manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to     apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
    (CVE-2022-3594)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the     Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading     to a kernel information leak. (CVE-2023-3141)

  - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure     (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)

  - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue     is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The     manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier     of this vulnerability is VDB-211088. (CVE-2022-3565)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req     function which can be used to leak kernel pointers remotely. We recommend upgrading past commit     https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e     https://www.google.com/url (CVE-2022-42895)

  - A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and     font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds     occurs leading to undefined behavior and possible denial of service. (CVE-2023-3161)

  - A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue     could allow a local user to crash the system. (CVE-2023-3358)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may     occur when a user starts a malicious networking service and someone connects to this service. This could     allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)

  - A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a     type confusion in their initialization function. While it will be often correct, as tuntap devices require     CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This     would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing     network filters. (CVE-2023-1076)

  - An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64     lacks consistency checks for CR0 and CR4. (CVE-2023-30456)

  - A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was     found in the way user can guess location of exception stack(s) or other important data. A local user could     use this flaw to get access to some important data with expected location in memory. (CVE-2023-0597)

  - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a     user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their     privileges on the system. (CVE-2023-1073)

  - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,     potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field     that overlaps with rec->tx_ready. (CVE-2023-1075)

  - A use-after-free flaw was found in the Linux kernel's core dump subsystem. This flaw allows a local user     to crash the system. Only if patch 390031c94211 (coredump: Use the vma snapshot in fill_files_note) not     applied yet, then kernel could be affected. (CVE-2023-1249)

  - A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In     this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on     hdev devices. (CVE-2023-1989)

  - A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown     function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after     free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.
    The identifier of this vulnerability is VDB-211020. (CVE-2022-3523)

  - A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6     functionality when a user makes a new kind of SYN flood attack. A user located in the local network or     with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up     to 95%. (CVE-2023-1206)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of     XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data     to userspace. (CVE-2023-3773)

  - A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using     SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke     the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can     trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel     configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result     struct is always copied into the new instance of the filter. This causes a problem when updating a filter     bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,     decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-     free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. When u32_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
    (CVE-2023-4208)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware     Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system     due to a race problem. This vulnerability could even lead to a kernel information leak problem.
    (CVE-2023-1855)

  - A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on     corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it     has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
    (CVE-2023-3212)

  - The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in     drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
    (CVE-2023-33203)

  - A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the     handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an     object prior to performing further free operations on the object. This flaw allows a local privileged user     to escalate privileges and execute code in the context of the kernel. (CVE-2023-33952)

  - Information exposure through microarchitectural state after transient execution in certain vector     execution units for some Intel(R) Processors may allow an authenticated user to potentially enable     information disclosure via local access. (CVE-2022-40982)

  - An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in     kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel     internal information. (CVE-2023-3268)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return     an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
    (CVE-2023-3609)

  - A use-after-free flaw was found in the Linux kernel's Ext4 File System in how a user triggers several file     operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially     escalate their privileges on the system. Only if patch 9a2544037600 (ovl: fix use after free in struct     ovl_aio_req) not applied yet, the kernel could be affected. (CVE-2023-1252)

  - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the     Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel     information leak problem. (CVE-2023-1652)

  - A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within     the handling of GEM objects. The issue results from improper locking when performing operations on an     object. This flaw allows a local privileged user to disclose information in the context of the kernel.
    (CVE-2023-33951)

  - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when     plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to     the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED     controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led     structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
    (CVE-2023-1079)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs     due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to     executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute     arbitrary code in the context of the kernel. (CVE-2023-39191)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7077 advisory.

  - In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in     drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a     crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)

  - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double     free. (CVE-2022-28388)

  - A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this     vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The     manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to     apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
    (CVE-2022-3594)

  - A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function     l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads     to use after free. It is recommended to apply a patch to fix this issue. The identifier of this     vulnerability is VDB-211944. (CVE-2022-3640)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - Information exposure through microarchitectural state after transient execution in certain vector     execution units for some Intel(R) Processors may allow an authenticated user to potentially enable     information disclosure via local access. (CVE-2022-40982)

  - There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req     function which can be used to leak kernel pointers remotely. We recommend upgrading past commit     https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e     https://www.google.com/url (CVE-2022-42895)

  - A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to     cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the     TDP MMU are enabled. (CVE-2022-45869)

  - An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a     memory leak because of the lack of a dvb_frontend_detach call. (CVE-2022-45887)

  - A double-free flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user     registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw     allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-4744)

  - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The     resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be     used to leak the contents. We recommend upgrading past version 6.1.8 or commit     739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)

  - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race     problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (net: sched: fix race     condition in qdisc_graft()) not applied yet, then kernel could be affected. (CVE-2023-0590)

  - A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was     found in the way user can guess location of exception stack(s) or other important data. A local user could     use this flaw to get access to some important data with expected location in memory. (CVE-2023-0597)

  - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a     user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their     privileges on the system. (CVE-2023-1073)

  - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may     occur when a user starts a malicious networking service and someone connects to this service. This could     allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)

  - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,     potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field     that overlaps with rec->tx_ready. (CVE-2023-1075)

  - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when     plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to     the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED     controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led     structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
    (CVE-2023-1079)

  - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the     way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate     their privileges on the system. (CVE-2023-1118)

  - A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6     functionality when a user makes a new kind of SYN flood attack. A user located in the local network or     with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up     to 95%. (CVE-2023-1206)

  - A use-after-free flaw was found in the Linux kernel's Ext4 File System in how a user triggers several file     operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially     escalate their privileges on the system. Only if patch 9a2544037600 (ovl: fix use after free in struct     ovl_aio_req) not applied yet, the kernel could be affected. (CVE-2023-1252)

  - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This     issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc     protocol in the Linux kernel. (CVE-2023-1382)

  - A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware     Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system     due to a race problem. This vulnerability could even lead to a kernel information leak problem.
    (CVE-2023-1855)

  - A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In     this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on     hdev devices. (CVE-2023-1989)

  - The Linux kernel allows userspace processes to enable mitigations by calling prctl with     PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed     that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to     attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be     observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened     because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that     STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
    However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons,     which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target     injection against which STIBP protects. (CVE-2023-1998)

  - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial     of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition     rather than valid classification results). (CVE-2023-23455)

  - A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the     extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system     crash or other undefined behaviors. (CVE-2023-2513)

  - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure     (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)

  - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in     the Linux Kernel. The message from user space is not checked properly before transferring into the device.
    This flaw allows a local user to crash the system or potentially cause a denial of service.
    (CVE-2023-28328)

  - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer     overflow. (CVE-2023-28772)

  - An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64     lacks consistency checks for CR0 and CR4. (CVE-2023-30456)

  - An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a     blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is     called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event,     down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and     down(&fepriv->sem) may block the process. (CVE-2023-31084)

  - A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the     Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading     to a kernel information leak. (CVE-2023-3141)

  - qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write     because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)

  - A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and     font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds     occurs leading to undefined behavior and possible denial of service. (CVE-2023-3161)

  - A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on     corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it     has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
    (CVE-2023-3212)

  - An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in     kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel     internal information. (CVE-2023-3268)

  - The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in     drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
    (CVE-2023-33203)

  - A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within     the handling of GEM objects. The issue results from improper locking when performing operations on an     object. This flaw allows a local privileged user to disclose information in the context of the kernel.
    (CVE-2023-33951)

  - A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the     handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an     object prior to performing further free operations on the object. This flaw allows a local privileged user     to escalate privileges and execute code in the context of the kernel. (CVE-2023-33952)

  - An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in     drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)

  - An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in     drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return     an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
    (CVE-2023-3609)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited     to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-     of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend     upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs     during device initialization when the siano device is plugged in. This flaw allows a local user to crash     the system, causing a denial of service condition. (CVE-2023-4132)

  - A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using     SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke     the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can     trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel     configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result     struct is always copied into the new instance of the filter. This causes a problem when updating a filter     bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,     decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-     free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. When u32_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
    (CVE-2023-4208)

  - A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this     flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement     referencing pmd_t x. (CVE-2023-4732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6901 advisory.

  - In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in     drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a     crafted device) to trigger an out-of-bounds write via a crafted length value. (CVE-2021-43975)

  - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double     free. (CVE-2022-28388)

  - A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this     vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The     manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to     apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
    (CVE-2022-3594)

  - A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function     l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads     to use after free. It is recommended to apply a patch to fix this issue. The identifier of this     vulnerability is VDB-211944. (CVE-2022-3640)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - Information exposure through microarchitectural state after transient execution in certain vector     execution units for some Intel(R) Processors may allow an authenticated user to potentially enable     information disclosure via local access. (CVE-2022-40982)

  - There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req     function which can be used to leak kernel pointers remotely. We recommend upgrading past commit     https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e     https://www.google.com/url (CVE-2022-42895)

  - A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to     cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the     TDP MMU are enabled. (CVE-2022-45869)

  - An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a     memory leak because of the lack of a dvb_frontend_detach call. (CVE-2022-45887)

  - A double-free flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user     registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw     allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-4744)

  - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The     resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be     used to leak the contents. We recommend upgrading past version 6.1.8 or commit     739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)

  - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race     problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (net: sched: fix race     condition in qdisc_graft()) not applied yet, then kernel could be affected. (CVE-2023-0590)

  - A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was     found in the way user can guess location of exception stack(s) or other important data. A local user could     use this flaw to get access to some important data with expected location in memory. (CVE-2023-0597)

  - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a     user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their     privileges on the system. (CVE-2023-1073)

  - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may     occur when a user starts a malicious networking service and someone connects to this service. This could     allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)

  - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,     potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field     that overlaps with rec->tx_ready. (CVE-2023-1075)

  - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when     plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to     the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED     controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led     structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
    (CVE-2023-1079)

  - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the     way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate     their privileges on the system. (CVE-2023-1118)

  - A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6     functionality when a user makes a new kind of SYN flood attack. A user located in the local network or     with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up     to 95%. (CVE-2023-1206)

  - A use-after-free flaw was found in the Linux kernel's Ext4 File System in how a user triggers several file     operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially     escalate their privileges on the system. Only if patch 9a2544037600 (ovl: fix use after free in struct     ovl_aio_req) not applied yet, the kernel could be affected. (CVE-2023-1252)

  - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This     issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc     protocol in the Linux kernel. (CVE-2023-1382)

  - A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware     Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system     due to a race problem. This vulnerability could even lead to a kernel information leak problem.
    (CVE-2023-1855)

  - A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In     this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on     hdev devices. (CVE-2023-1989)

  - The Linux kernel allows userspace processes to enable mitigations by calling prctl with     PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed     that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to     attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be     observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened     because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that     STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection.
    However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons,     which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target     injection against which STIBP protects. (CVE-2023-1998)

  - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial     of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition     rather than valid classification results). (CVE-2023-23455)

  - A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the     extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system     crash or other undefined behaviors. (CVE-2023-2513)

  - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure     (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)

  - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in     the Linux Kernel. The message from user space is not checked properly before transferring into the device.
    This flaw allows a local user to crash the system or potentially cause a denial of service.
    (CVE-2023-28328)

  - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer     overflow. (CVE-2023-28772)

  - An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64     lacks consistency checks for CR0 and CR4. (CVE-2023-30456)

  - An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a     blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is     called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event,     down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and     down(&fepriv->sem) may block the process. (CVE-2023-31084)

  - A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the     Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading     to a kernel information leak. (CVE-2023-3141)

  - qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write     because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)

  - A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and     font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds     occurs leading to undefined behavior and possible denial of service. (CVE-2023-3161)

  - A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on     corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it     has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.
    (CVE-2023-3212)

  - An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in     kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel     internal information. (CVE-2023-3268)

  - The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in     drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
    (CVE-2023-33203)

  - A race condition vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within     the handling of GEM objects. The issue results from improper locking when performing operations on an     object. This flaw allows a local privileged user to disclose information in the context of the kernel.
    (CVE-2023-33951)

  - A double-free vulnerability was found in the vmwgfx driver in the Linux kernel. The flaw exists within the     handling of vmw_buffer_object objects. The issue results from the lack of validating the existence of an     object prior to performing further free operations on the object. This flaw allows a local privileged user     to escalate privileges and execute code in the context of the kernel. (CVE-2023-33952)

  - An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in     drivers/media/pci/saa7134/saa7134-core.c. (CVE-2023-35823)

  - An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in     drivers/media/pci/dm1105/dm1105.c. (CVE-2023-35824)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return     an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
    (CVE-2023-3609)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited     to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-     of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend     upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs     during device initialization when the siano device is plugged in. This flaw allows a local user to crash     the system, causing a denial of service condition. (CVE-2023-4132)

  - A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using     SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke     the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can     trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel     configurations without stack guard pages (`CONFIG_VMAP_STACK`). (CVE-2023-4155)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result     struct is always copied into the new instance of the filter. This causes a problem when updating a filter     bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,     decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-     free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. When u32_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
    (CVE-2023-4208)

  - A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this     flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement     referencing pmd_t x. (CVE-2023-4732)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3988-1 advisory.

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs     in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem,     possibly leading to a kernel information leak. (CVE-2023-1859)

  - The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper     locking when performing operations on an object. An attacker can leverage this in conjunction with other     vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
    (CVE-2023-2007)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588)

  - A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in     Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A     local user could use this flaw to crash the system or potentially cause a denial of service.
    (CVE-2023-2177)

  - The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a     way such that not all of the headers would come in one piece. Unfortunately the logic introduced there     didn't account for the extreme case of the entire packet being split into as many pieces as permitted by     the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible)     headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.
    (CVE-2023-34319)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in     the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend     upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds     and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
    This flaw allows a local user with special privileges to impact a kernel information leak issue.
    (CVE-2023-3863)

  - An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before     6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

  - A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in     the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to     incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

  - A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the     cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This     flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with     NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

  - A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux     Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which     results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3971-1 advisory.

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper     locking when performing operations on an object. An attacker can leverage this in conjunction with other     vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
    (CVE-2023-2007)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588)

  - The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a     way such that not all of the headers would come in one piece. Unfortunately the logic introduced there     didn't account for the extreme case of the entire packet being split into as many pieces as permitted by     the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible)     headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.
    (CVE-2023-34319)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in     the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend     upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds     and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
    This flaw allows a local user with special privileges to impact a kernel information leak issue.
    (CVE-2023-3863)

  - An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before     6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

  - A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in     the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to     incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

  - A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the     cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This     flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with     NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

  - A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux     Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which     results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3599-2 advisory.

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper     locking when performing operations on an object. An attacker can leverage this in conjunction with other     vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
    (CVE-2023-2007)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588)

  - 2023-09-14: CVE-2023-4015 was added to this advisory. (CVE-2023-34319)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in     the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend     upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds     and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
    This flaw allows a local user with special privileges to impact a kernel information leak issue.
    (CVE-2023-3863)

  - An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before     6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

  - A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in     the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to     incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

  - A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the     cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This     flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with     NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

  - A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux     Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which     results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3704-1 advisory.

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper     locking when performing operations on an object. An attacker can leverage this in conjunction with other     vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
    (CVE-2023-2007)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588)

  - 2023-09-14: CVE-2023-4015 was added to this advisory. (CVE-2023-34319)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in     the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend     upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds     and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
    This flaw allows a local user with special privileges to impact a kernel information leak issue.
    (CVE-2023-3863)

  - An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before     6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

  - A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in     the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to     incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

  - A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the     cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This     flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with     NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

  - A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux     Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which     results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3656-1 advisory.

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper     locking when performing operations on an object. An attacker can leverage this in conjunction with other     vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
    (CVE-2023-2007)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588) (CVE-2023-34319)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in     the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend     upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds     and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
    This flaw allows a local user with special privileges to impact a kernel information leak issue.
    (CVE-2023-3863)

  - An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before     6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

  - A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in     the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to     incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

  - A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the     cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This     flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with     NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

  - ** REJECT ** This was assigned as a duplicate of CVE-2023-4244. (CVE-2023-4563)

  - A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux     Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which     results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3599-1 advisory.

  - A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-38457)

  - A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf_tie_context' in     drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128     (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing     a denial of service(DoS). (CVE-2022-40133)

  - The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper     locking when performing operations on an object. An attacker can leverage this in conjunction with other     vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
    (CVE-2023-2007)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588)

  - A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss     of confidentiality. (CVE-2023-20588) (CVE-2023-34319)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in     the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend     upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds     and crash in read_descriptors in drivers/usb/core/sysfs.c. (CVE-2023-37453)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue     may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in     xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
    This flaw allows a local user with special privileges to impact a kernel information leak issue.
    (CVE-2023-3863)

  - An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before     6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)

  - A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in     the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to     incorrect handling of the existing filter, leading to a kernel information leak issue. (CVE-2023-4128)

  - A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the     cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This     flaw allows a local user to crash the system, causing a denial of service condition. (CVE-2023-4133)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with     NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

  - A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to     bypass network filters and gain unauthorized access to some resources. The original patches fixing     CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -     a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
    correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and     that turns out to not be accurate. (CVE-2023-4194)

  - A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation     of the file name reconstruction function, which is responsible for reading file name entries from a     directory index and merging file name parts belonging to one file into a single long file name. Since the     file name characters are copied into a stack variable, a local privileged attacker could use this flaw to     overflow the kernel stack. (CVE-2023-4273)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in     VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash     the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a     kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in     the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with     normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

  - ** REJECT ** This was assigned as a duplicate of CVE-2023-4244. (CVE-2023-4563)

  - A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux     Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which     results in a memory leak. (CVE-2023-4569)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
204602	RHEL 9 : kernel (RHSA-2024:4823)	Nessus	Red Hat Local Security Checks	high
204592	RHEL 9 : kernel-rt (RHSA-2024:4831)	Nessus	Red Hat Local Security Checks	high
194262	RHEL 9 : kernel (RHSA-2023:6583)	Nessus	Red Hat Local Security Checks	high
192277	RHEL 8 : kernel (RHSA-2024:1404)	Nessus	Red Hat Local Security Checks	high
190828	RHEL 8 : kernel (RHSA-2024:0930)	Nessus	Red Hat Local Security Checks	high
186109	Oracle Linux 8 : kernel (ELSA-2023-7077)	Nessus	Oracle Linux Local Security Checks	high
185819	Oracle Linux 9 : kernel (ELSA-2023-6583)	Nessus	Oracle Linux Local Security Checks	high
185679	RHEL 8 : kernel (RHSA-2023:7077)	Nessus	Red Hat Local Security Checks	high
185666	RHEL 8 : kernel-rt (RHSA-2023:6901)	Nessus	Red Hat Local Security Checks	high
182669	SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3988-1)	Nessus	SuSE Local Security Checks	high
182572	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3971-1)	Nessus	SuSE Local Security Checks	high
181779	SUSE SLES15 Security Update : kernel (SUSE-SU-2023:3599-2)	Nessus	SuSE Local Security Checks	high
181742	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3704-1)	Nessus	SuSE Local Security Checks	high
181574	SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3656-1)	Nessus	SuSE Local Security Checks	high
181457	SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2023:3599-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2022-38457

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high