Ubuntu update for linux-lowlatency-hwe-6.5

1) Race condition

EUVDB-ID: #VU92719

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24857

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to damange or delete data.

A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.

Mitigation

Update the affected package linux-lowlatency-hwe-6.5 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

linux-image-lowlatency-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-lowlatency-64k-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency-64k (Ubuntu package): before 6.5.0-45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency (Ubuntu package): before 6.5.0-45.45.1~22.04.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:

External links

http://ubuntu.com/security/notices/USN-6922-2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU92720

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24858

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.

Mitigation

Update the affected package linux-lowlatency-hwe-6.5 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

linux-image-lowlatency-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-lowlatency-64k-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency-64k (Ubuntu package): before 6.5.0-45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency (Ubuntu package): before 6.5.0-45.45.1~22.04.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:

External links

http://ubuntu.com/security/notices/USN-6922-2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Race condition

EUVDB-ID: #VU92721

Risk: Low

CVSSv3.1: 4.2 [CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24859

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.

Mitigation

Update the affected package linux-lowlatency-hwe-6.5 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

linux-image-lowlatency-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-lowlatency-64k-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency-64k (Ubuntu package): before 6.5.0-45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency (Ubuntu package): before 6.5.0-45.45.1~22.04.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:

External links

http://ubuntu.com/security/notices/USN-6922-2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper check for unusual or exceptional conditions

EUVDB-ID: #VU92399

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-25739

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper check for unusual or exceptional conditions error within the ubi_read_volume_table() function in drivers/mtd/ubi/vtbl.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux-lowlatency-hwe-6.5 to the latest version.

Vulnerable software versions

Ubuntu: 22.04

linux-image-lowlatency-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-lowlatency-64k-hwe-22.04 (Ubuntu package): before 6.5.0.45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency-64k (Ubuntu package): before 6.5.0-45.45.1~22.04.1

linux-image-6.5.0-45-lowlatency (Ubuntu package): before 6.5.0-45.45.1~22.04.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:

External links

http://ubuntu.com/security/notices/USN-6922-2

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.