Ubuntu update for linux



Risk Critical
Patch available YES
Number of vulnerabilities 35
CVE-ID CVE-2024-36971
CVE-2024-42271
CVE-2024-38630
CVE-2024-38602
CVE-2024-42223
CVE-2024-44940
CVE-2023-52528
CVE-2024-41097
CVE-2024-27051
CVE-2024-42157
CVE-2024-46673
CVE-2024-39494
CVE-2024-42089
CVE-2024-41073
CVE-2024-26810
CVE-2024-26960
CVE-2024-38611
CVE-2024-31076
CVE-2024-26754
CVE-2023-52510
CVE-2024-40941
CVE-2024-45016
CVE-2024-38627
CVE-2024-38621
CVE-2024-39487
CVE-2024-27436
CVE-2024-40901
CVE-2024-26812
CVE-2024-42244
CVE-2024-42229
CVE-2024-43858
CVE-2024-42280
CVE-2024-26641
CVE-2024-42284
CVE-2024-26602
CWE-ID CWE-416
CWE-401
CWE-190
CWE-399
CWE-908
CWE-476
CWE-20
CWE-415
CWE-667
CWE-362
CWE-119
CWE-125
CWE-787
CWE-824
CWE-400
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
 Ubuntu
Operating systems & Components / Operating system

linux-image-4.15.0-230-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-230-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1182-azure (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1174-aws (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1167-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1157-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-4.15.0-1136-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-azure-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws-lts-18.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-kvm (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gcp (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-gke (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-aws-hwe (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-generic-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-lowlatency-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oem (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-virtual-hwe-16.04 (Ubuntu package)
Operating systems & Components / Operating system package or component

linux-image-oracle (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 35 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU91597

Risk: Critical

CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2024-36971

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to a use-after-free error within the xfrm_link_failure() function in net/xfrm/xfrm_policy.c, within the dst_entry ip6_dst_check() and ip6_dst_check() functions in net/ipv6/route.c, within the dst_entry ipv4_dst_check() and ip_do_redirect() functions in net/ipv4/route.c. A remote attacker can send specially crafted packets to the system and execute arbitrary code.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Use-after-free

EUVDB-ID: #VU96105

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42271

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the iucv_sever_path() function in net/iucv/af_iucv.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU93021

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38630

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the cpu5wdt_exit() function in drivers/watchdog/cpu5wdt.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

EUVDB-ID: #VU92296

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38602

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ax25_addr_ax25dev(), ax25_dev_device_up() and ax25_dev_device_down() functions in net/ax25/ax25_dev.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Integer overflow

EUVDB-ID: #VU95037

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42223

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to integer overflow within the tda10048_set_if() function in drivers/media/dvb-frontends/tda10048.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource management error

EUVDB-ID: #VU96553

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44940

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the NAPI_GRO_CB() function in net/ipv4/fou_core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use of uninitialized resource

EUVDB-ID: #VU90884

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52528

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the __smsc75xx_read_reg() function in drivers/net/usb/smsc75xx.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Resource management error

EUVDB-ID: #VU95067

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41097

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the cxacru_bind() function in drivers/usb/atm/cxacru.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

EUVDB-ID: #VU91501

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27051

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the brcm_avs_is_firmware_loaded() function in drivers/cpufreq/brcmstb-avs-cpufreq.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Input validation error

EUVDB-ID: #VU95090

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42157

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the pkey_unlocked_ioctl() function in drivers/s390/crypto/pkey_api.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Use-after-free

EUVDB-ID: #VU97251

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46673

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the aac_init_adapter() function in drivers/scsi/aacraid/comminit.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU94223

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-39494

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ima_eventname_init_common() function in security/integrity/ima/ima_template_lib.c, within the ima_collect_measurement() and ima_d_path() functions in security/integrity/ima/ima_api.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) NULL pointer dereference

EUVDB-ID: #VU94964

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42089

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the fsl_asoc_card_probe() function in sound/soc/fsl/fsl-asoc-card.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Double free

EUVDB-ID: #VU95011

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41073

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a double free error within the nvme_cleanup_cmd() function in drivers/nvme/host/core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper locking

EUVDB-ID: #VU91318

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26810

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the vfio_send_intx_eventfd(), vfio_pci_intx_mask(), vfio_pci_intx_unmask_handler(), vfio_pci_set_intx_unmask() and vfio_pci_set_intx_mask() functions in drivers/vfio/pci/vfio_pci_intrs.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Race condition

EUVDB-ID: #VU91475

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26960

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the __swap_entry_free_locked() and free_swap_and_cache() functions in mm/swapfile.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory leak

EUVDB-ID: #VU92298

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38611

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the et8ek8_remove() and __exit_p() functions in drivers/media/i2c/et8ek8/et8ek8_driver.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory leak

EUVDB-ID: #VU93016

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-31076

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the migrate_one_irq() function in kernel/irq/cpuhotplug.c, within the __send_cleanup_vector(), irq_complete_move() and irq_force_complete_move() functions in arch/x86/kernel/apic/vector.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Use-after-free

EUVDB-ID: #VU90217

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26754

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the gtp_init() function in drivers/net/gtp.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Use-after-free

EUVDB-ID: #VU90235

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52510

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ca8210_register_ext_clock() and ca8210_unregister_ext_clock() functions in drivers/net/ieee802154/ca8210.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Buffer overflow

EUVDB-ID: #VU94315

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40941

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the iwl_mvm_mfu_assert_dump_notif() function in drivers/net/wireless/intel/iwlwifi/mvm/fw.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Use-after-free

EUVDB-ID: #VU97169

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-45016

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the netem_enqueue() function in net/sched/sch_netem.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Double free

EUVDB-ID: #VU93040

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38627

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a double free error within the stm_register_device() function in drivers/hwtracing/stm/core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Out-of-bounds read

EUVDB-ID: #VU93025

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38621

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the stk1160_buffer_done() and stk1160_copy_video() functions in drivers/media/usb/stk1160/stk1160-video.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Out-of-bounds read

EUVDB-ID: #VU93889

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-39487

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the bond_option_arp_ip_targets_set() function in drivers/net/bonding/bond_options.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Out-of-bounds write

EUVDB-ID: #VU93594

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27436

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to an out-of-bounds write within the convert_chmap() function in sound/usb/stream.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Out-of-bounds read

EUVDB-ID: #VU94233

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40901

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the mpt3sas_base_attach() and _base_check_ioc_facts_changes() functions in drivers/scsi/mpt3sas/mpt3sas_base.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper locking

EUVDB-ID: #VU91529

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26812

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the vfio_send_intx_eventfd(), vfio_intx_handler() and vfio_pci_set_intx_trigger() functions in drivers/vfio/pci/vfio_pci_intrs.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Input validation error

EUVDB-ID: #VU95510

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42244

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the mos7840_port_remove() function in drivers/usb/serial/mos7840.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Buffer overflow

EUVDB-ID: #VU95078

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42229

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the setkey_unaligned() function in crypto/cipher.c, within the setkey_unaligned() function in crypto/aead.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Out-of-bounds read

EUVDB-ID: #VU96113

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43858

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the diSync() and diRead() functions in fs/jfs/jfs_imap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Use-after-free

EUVDB-ID: #VU96106

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42280

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the hfcmulti_dtmf() and HFC_wait_nodebug() functions in drivers/isdn/hardware/mISDN/hfcmulti.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Access of Uninitialized Pointer

EUVDB-ID: #VU89396

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-26641

CWE-ID: CWE-824 - Access of Uninitialized Pointer

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to access to uninitialized data within the __ip6_tnl_rcv() function in net/ipv6/ip6_tunnel.c. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Buffer overflow

EUVDB-ID: #VU96176

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42284

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to memory corruption within the tipc_udp_addr2str() function in net/tipc/udp_media.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Resource exhaustion

EUVDB-ID: #VU87499

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26602

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper resource management in kernel/sched/membarrier.c. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

linux-image-4.15.0-230-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-230-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1182-azure (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1174-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1167-gcp (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1157-kvm (Ubuntu package): before Ubuntu Pro

linux-image-4.15.0-1136-oracle (Ubuntu package): before Ubuntu Pro

linux-image-oracle-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-gcp-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-azure-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-aws-lts-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gke (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws-hwe (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual-hwe-16.04 (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3 External links

https://ubuntu.com/security/notices/USN-7069-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###