Ubuntu update for linux-raspi
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2021-47188 CVE-2024-42160 CVE-2024-42228 CVE-2022-48863 CVE-2024-26677 CVE-2024-26787 CVE-2024-38570 CVE-2024-39494 CVE-2022-48791 CVE-2024-27012 |
| CWE-ID | CWE-399 CWE-20 CWE-908 CWE-401 CWE-200 CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system linux-image-raspi (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1117-raspi (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU93843
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-47188
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the ufshcd_abort() function in drivers/scsi/ufs/ufshcd.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU94999
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-42160
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the f2fs_build_fault_attr() and parse_options() functions in fs/f2fs/super.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use of uninitialized resource
EUVDB-ID: #VU95029
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-42228
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the amdgpu_vce_ring_parse_cs() function in drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory leak
EUVDB-ID: #VU94393
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-48863
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the dsp_pipeline_destroy() and dsp_pipeline_build() functions in drivers/isdn/mISDN/dsp_pipeline.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU94139
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-26677
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the rxrpc_propose_delay_ACK(), rxrpc_send_initial_ping() and rxrpc_input_call_event() functions in net/rxrpc/call_event.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU89239
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-26787
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output within the sdmmc_idma_start() function in drivers/mmc/host/mmci_stm32_sdmmc.c. A local user can gain access to sensitive information.
Update the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU92309
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-38570
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the gfs2_gl_hash_clear() function in fs/gfs2/super.c, within the init_sbd() function in fs/gfs2/ops_fstype.c, within the gdlm_ast(), gdlm_bast() and gdlm_put_lock() functions in fs/gfs2/lock_dlm.c, within the glock_blocked_by_withdraw() and gfs2_gl_hash_clear() functions in fs/gfs2/glock.c. A local user can escalate privileges on the system.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free
EUVDB-ID: #VU94223
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-39494
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ima_eventname_init_common() function in security/integrity/ima/ima_template_lib.c, within the ima_collect_measurement() and ima_d_path() functions in security/integrity/ima/ima_api.c. A local user can escalate privileges on the system.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU94421
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-48791
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the pm8001_exec_internal_tmf_task() function in drivers/scsi/pm8001/pm8001_sas.c. A local user can escalate privileges on the system.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory leak
EUVDB-ID: #VU90461
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-27012
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the nft_rbtree_activate() and nft_rbtree_walk() functions in net/netfilter/nft_set_rbtree.c, within the nft_pipapo_activate() and nft_pipapo_walk() functions in net/netfilter/nft_set_pipapo.c, within the nft_rhash_activate(), nft_rhash_walk(), nft_hash_activate() and nft_hash_walk() functions in net/netfilter/nft_set_hash.c, within the nft_bitmap_activate() and nft_bitmap_walk() functions in net/netfilter/nft_set_bitmap.c, within the nft_mapelem_deactivate(), nft_map_catchall_deactivate(), nft_setelem_validate(), nf_tables_bind_check_setelem(), nft_mapelem_activate(), nft_map_catchall_activate(), nf_tables_dump_setelem(), nft_setelem_activate(), nft_setelem_flush() and nf_tables_loop_check_setelem() functions in net/netfilter/nf_tables_api.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package linux-raspi to the latest version.
Vulnerable software versionsUbuntu: 20.04
linux-image-raspi (Ubuntu package): before 5.4.0.1117.147
linux-image-raspi2 (Ubuntu package): before 5.4.0.1117.147
linux-image-5.4.0-1117-raspi (Ubuntu package): before 5.4.0-1117.129
CPE2.3- cpe:2.3:a:canonical:linux-image-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-raspi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:linux-image-5.4.0-1117-raspi_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-7022-2
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
