Ubuntu update for linux

Published: 2024-12-10

Risk	Medium
Patch available	YES
Number of vulnerabilities	40
CVE-ID	CVE-2021-47055 CVE-2024-26675 CVE-2024-42244 CVE-2024-46743 CVE-2024-41095 CVE-2024-46756 CVE-2024-46723 CVE-2024-46759 CVE-2024-35877 CVE-2024-38538 CVE-2024-26668 CVE-2024-44998 CVE-2024-42309 CVE-2024-46758 CVE-2024-46800 CVE-2022-48733 CVE-2023-52531 CVE-2023-52599 CVE-2024-46722 CVE-2024-42240 CVE-2024-44987 CVE-2023-52502 CVE-2023-52578 CVE-2024-41059 CVE-2024-41071 CVE-2024-44942 CVE-2024-46738 CVE-2022-48943 CVE-2023-52614 CVE-2024-27397 CVE-2024-38560 CVE-2024-43882 CVE-2024-42104 CVE-2024-46757 CVE-2024-26636 CVE-2024-26633 CVE-2024-41089 CVE-2024-42310 CVE-2022-48938 CVE-2022-24448
CWE-ID	CWE-667 CWE-20 CWE-125 CWE-476 CWE-191 CWE-401 CWE-908 CWE-190 CWE-416 CWE-119 CWE-362 CWE-909
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Ubuntu Operating systems & Components / Operating system linux-image-4.4.0-1138-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-261-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-261-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1176-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1139-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 40 vulnerabilities.

1) Improper locking

EUVDB-ID: #VU91543

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47055

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the mtdchar_ioctl() function in drivers/mtd/mtdchar.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU90858

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26675

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the ppp_async_ioctl() function in drivers/net/ppp/ppp_async.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU95510

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42244

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the mos7840_port_remove() function in drivers/usb/serial/mos7840.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds read

EUVDB-ID: #VU97503

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46743

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the of_irq_parse_one() function in drivers/of/irq.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) NULL pointer dereference

EUVDB-ID: #VU94966

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41095

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the nv17_tv_get_ld_modes() function in drivers/gpu/drm/nouveau/dispnv04/tvnv17.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Integer underflow

EUVDB-ID: #VU97551

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46756

CWE-ID: CWE-191 - Integer underflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to integer underflow within the store_target_temp() and store_tolerance() functions in drivers/hwmon/w83627ehf.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds read

EUVDB-ID: #VU97509

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46723

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the amdgpu_cgs_get_firmware_info() function in drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Integer underflow

EUVDB-ID: #VU97554

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46759

CWE-ID: CWE-191 - Integer underflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to integer underflow within the adc128_set_in() and adc128_set_temp() functions in drivers/hwmon/adc128d818.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory leak

EUVDB-ID: #VU91638

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35877

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the follow_phys() function in mm/memory.c, within the is_cow_mapping(), free_pfn_range() and untrack_pfn() functions in arch/x86/mm/pat.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use of uninitialized resource

EUVDB-ID: #VU92373

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38538

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the EXPORT_SYMBOL_GPL() and br_dev_xmit() functions in net/bridge/br_device.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Integer overflow

EUVDB-ID: #VU91180

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26668

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to integer overflow within the nft_limit_eval() and nft_limit_init() functions in net/netfilter/nft_limit.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU96842

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44998

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the dequeue_rx() function in drivers/atm/idt77252.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) NULL pointer dereference

EUVDB-ID: #VU96135

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42309

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the psb_intel_lvds_get_modes() function in drivers/gpu/drm/gma500/psb_intel_lvds.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Integer underflow

EUVDB-ID: #VU97553

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46758

CWE-ID: CWE-191 - Integer underflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to integer underflow within the set_tcrit2(), set_tcrit1(), set_tcrit1_hyst() and set_offset() functions in drivers/hwmon/lm95234.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

EUVDB-ID: #VU97501

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46800

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the qdisc_enqueue() function in net/sched/sch_netem.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free

EUVDB-ID: #VU92895

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-48733

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the btrfs_wait_delalloc_flush() and btrfs_commit_transaction() functions in fs/btrfs/transaction.c, within the create_snapshot() function in fs/btrfs/ioctl.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Buffer overflow

EUVDB-ID: #VU91210

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52531

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to memory corruption within the drivers/net/wireless/intel/iwlwifi/mvm/fw.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU88105

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52599

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the diNewExt() function in fs/jfs/jfs_imap.c. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Out-of-bounds read

EUVDB-ID: #VU97508

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46722

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the amdgpu_atombios_init_mc_reg_table() function in drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Buffer overflow

EUVDB-ID: #VU95516

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42240

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the SYM_INNER_LABEL() function in arch/x86/entry/entry_64_compat.S. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Use-after-free

EUVDB-ID: #VU96839

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44987

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ip6_send_skb() function in net/ipv6/ip6_output.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Race condition

EUVDB-ID: #VU88106

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52502

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() functions in net/nfc/llcp_core.c. A local user can exploit the race and execute arbitrary code with elevated privileges.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Race condition

EUVDB-ID: #VU89384

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52578

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a data race within the br_handle_frame_finish() function in net/bridge/br_input.c. A local user can exploit the race and perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Use of uninitialized resource

EUVDB-ID: #VU95033

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41059

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the hfsplus_listxattr() function in fs/hfsplus/xattr.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Out-of-bounds read

EUVDB-ID: #VU94956

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41071

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the ieee80211_prep_hw_scan() function in net/mac80211/scan.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Input validation error

EUVDB-ID: #VU96552

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44942

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the fs/f2fs/gc.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Use-after-free

EUVDB-ID: #VU97491

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46738

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the vmci_resource_remove() function in drivers/misc/vmw_vmci/vmci_resource.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper locking

EUVDB-ID: #VU96433

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-48943

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the shadow_page_table_clear_flood() function in arch/x86/kvm/mmu/mmu.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Buffer overflow

EUVDB-ID: #VU91315

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52614

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to memory corruption within the trans_stat_show() function in drivers/devfreq/devfreq.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Improper locking

EUVDB-ID: #VU92027

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27397

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __nft_rbtree_insert(), nft_rbtree_deactivate() and nft_rbtree_gc() functions in net/netfilter/nft_set_rbtree.c, within the pipapo_get(), nft_pipapo_get(), nft_pipapo_insert(), pipapo_gc() and pipapo_deactivate() functions in net/netfilter/nft_set_pipapo.c, within the nft_rhash_key(), nft_rhash_cmp(), nft_rhash_lookup(), nft_rhash_get(), nft_rhash_update(), nft_rhash_insert() and nft_rhash_deactivate() functions in net/netfilter/nft_set_hash.c, within the nft_trans_gc_catchall_sync() and nf_tables_valid_genid() functions in net/netfilter/nf_tables_api.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Out-of-bounds read

EUVDB-ID: #VU92327

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38560

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the bfad_debugfs_write_regrd() and bfad_debugfs_write_regwr() functions in drivers/scsi/bfa/bfad_debugfs.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper locking

EUVDB-ID: #VU96295

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43882

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the bprm_fill_uid() function in fs/exec.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Use-after-free

EUVDB-ID: #VU94937

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42104

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the nilfs_check_page() and nilfs_error() functions in fs/nilfs2/dir.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Integer underflow

EUVDB-ID: #VU97552

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46757

CWE-ID: CWE-191 - Integer underflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to integer underflow within the store_temp_offset() function in drivers/hwmon/nct6775.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Input validation error

EUVDB-ID: #VU90859

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26636

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the llc_ui_sendmsg() function in net/llc/af_llc.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Input validation error

EUVDB-ID: #VU89267

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-26633

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in NEXTHDR_FRAGMENT handling within the ip6_tnl_parse_tlv_enc_lim() function in net/ipv6/ip6_tunnel.c. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) NULL pointer dereference

EUVDB-ID: #VU94971

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41089

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the nv17_tv_get_hd_modes() function in drivers/gpu/drm/nouveau/dispnv04/tvnv17.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) NULL pointer dereference

EUVDB-ID: #VU96134

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42310

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the cdv_intel_lvds_get_modes() function in drivers/gpu/drm/gma500/cdv_intel_lvds.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Input validation error

EUVDB-ID: #VU96438

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-48938

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the cdc_ncm_rx_fixup() function in drivers/net/usb/cdc_ncm.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Missing initialization of resource

EUVDB-ID: #VU61211

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-24448

CWE-ID: CWE-909 - Missing initialization of resource

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to missing initialization of resource within the fs/nfs/dir.c in the Linux kernel. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1138-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-261-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1176-aws (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1139-kvm (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-kvm (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7148-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.