Ubuntu update for linux

1) Race condition

EUVDB-ID: #VU92719

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24857

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to damange or delete data.

A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 24.04

linux-image-virtual-hwe-24.04 (Ubuntu package): before 6.8.0-38.38

linux-image-virtual (Ubuntu package): before 6.8.0-38.38

linux-image-raspi (Ubuntu package): before 6.8.0-1007.7

linux-image-oem-24.04a (Ubuntu package): before 6.8.0-1008.8

linux-image-oem-24.04 (Ubuntu package): before 6.8.0-1008.8

linux-image-lowlatency-64k (Ubuntu package): before 6.8.0-38.38.1

linux-image-lowlatency (Ubuntu package): before 6.8.0-38.38.1

linux-image-kvm (Ubuntu package): before 6.8.0-38.38

linux-image-intel (Ubuntu package): before 6.8.0-1007.14

linux-image-ibm-lts-24.04 (Ubuntu package): before 6.8.0-1008.8

linux-image-ibm-classic (Ubuntu package): before 6.8.0-1008.8

linux-image-ibm (Ubuntu package): before 6.8.0-1008.8

linux-image-generic-lpae (Ubuntu package): before 6.8.0-38.38

linux-image-generic-hwe-24.04 (Ubuntu package): before 6.8.0-38.38

linux-image-generic-64k-hwe-24.04 (Ubuntu package): before 6.8.0-38.38

linux-image-generic-64k (Ubuntu package): before 6.8.0-38.38

linux-image-generic (Ubuntu package): before 6.8.0-38.38

linux-image-gcp (Ubuntu package): before 6.8.0-1010.11

linux-image-azure-fde (Ubuntu package): before 6.8.0-1010.10

linux-image-azure (Ubuntu package): before 6.8.0-1010.10

linux-image-6.8.0-38-lowlatency-64k (Ubuntu package): before 6.8.0-38.38.1

linux-image-6.8.0-38-lowlatency (Ubuntu package): before 6.8.0-38.38.1

linux-image-6.8.0-38-generic-64k (Ubuntu package): before 6.8.0-38.38

linux-image-6.8.0-38-generic (Ubuntu package): before 6.8.0-38.38

linux-image-6.8.0-1010-gcp (Ubuntu package): before 6.8.0-1010.11

linux-image-6.8.0-1010-azure-fde (Ubuntu package): before 6.8.0-1010.10

linux-image-6.8.0-1010-azure (Ubuntu package): before 6.8.0-1010.10

linux-image-6.8.0-1008-oem (Ubuntu package): before 6.8.0-1008.8

linux-image-6.8.0-1008-ibm (Ubuntu package): before 6.8.0-1008.8

linux-image-6.8.0-1007-raspi (Ubuntu package): before 6.8.0-1007.7

linux-image-6.8.0-1007-intel (Ubuntu package): before 6.8.0-1007.14

CPE2.3

External links

http://ubuntu.com/security/notices/USN-6893-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU92720

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24858

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.