Ubuntu update for linux

Published: 2025-03-05 | Updated: 2025-03-12

Risk	High
Patch available	YES
Number of vulnerabilities	36
CVE-ID	CVE-2022-48994 CVE-2024-43900 CVE-2024-40943 CVE-2024-41063 CVE-2024-42070 CVE-2024-38567 CVE-2024-36964 CVE-2023-52522 CVE-2024-53156 CVE-2024-53104 CVE-2024-43854 CVE-2024-42068 CVE-2023-52818 CVE-2024-44931 CVE-2021-47103 CVE-2023-52799 CVE-2024-43893 CVE-2024-36886 CVE-2024-49902 CVE-2024-36952 CVE-2024-40911 CVE-2023-52488 CVE-2024-35896 CVE-2024-50117 CVE-2024-50171 CVE-2021-47606 CVE-2024-40910 CVE-2024-43892 CVE-2024-50148 CVE-2024-41064 CVE-2024-44938 CVE-2024-50233 CVE-2023-52880 CVE-2024-43863 CVE-2024-26685 CVE-2024-40981
CWE-ID	CWE-20 CWE-416 CWE-667 CWE-843 CWE-269 CWE-399 CWE-125 CWE-787 CWE-401 CWE-682 CWE-362 CWE-476 CWE-369 CWE-264
Exploitation vector	Network
Public exploit	Vulnerability #10 is being exploited in the wild.
Vulnerable software	Ubuntu Operating systems & Components / Operating system linux-image-4.4.0-1141-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-266-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-266-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1179-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 36 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU99195

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-48994

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the EXPORT_SYMBOL() and snd_seq_expand_var_event() functions in sound/core/seq/seq_memory.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU96515

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43900

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the load_firmware_cb() function in drivers/media/tuners/xc2028.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper locking

EUVDB-ID: #VU94278

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40943

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __ocfs2_change_file_space() function in fs/ocfs2/file.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper locking

EUVDB-ID: #VU94992

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41063

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the hci_unregister_dev() function in net/bluetooth/hci_core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Type Confusion

EUVDB-ID: #VU94923

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42070

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a type confusion error within the nft_lookup_init() function in net/netfilter/nft_lookup.c, within the nf_tables_fill_setelem() and nft_validate_register_store() functions in net/netfilter/nf_tables_api.c. A local user can pass specially crafted data to the packet filtering to trigger a type confusion error and gain access to sensitive information.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU92370

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-38567

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the carl9170_usb_probe() function in drivers/net/wireless/ath/carl9170/usb.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper privilege management

EUVDB-ID: #VU93734

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-36964

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

Description

The vulnerability allows a local user to read and manipulate data.

The vulnerability exists due to improperly imposed permissions within the p9mode2perm() function in fs/9p/vfs_inode.c. A local user can read and manipulate data.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Resource management error

EUVDB-ID: #VU89387

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52522

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the neigh_periodic_work() function in net/core/neighbour.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Out-of-bounds read

EUVDB-ID: #VU101911

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53156

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the htc_connect_service() function in drivers/net/wireless/ath/ath9k/htc_hst.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Out-of-bounds write

EUVDB-ID: #VU101102

Risk: High

CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-53104

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an out-of-bounds read error within the uvc_parse_format() function in drivers/media/usb/uvc/uvc_driver.c. A local user can trigger an out-of-bounds write and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

11) Memory leak

EUVDB-ID: #VU96099

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43854

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the bio_integrity_prep() function in block/bio-integrity.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Incorrect calculation

EUVDB-ID: #VU95076

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-42068

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect calculation within the jit_subprogs() function in kernel/bpf/verifier.c, within the bpf_prog_select_runtime() function in kernel/bpf/core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Out-of-bounds read

EUVDB-ID: #VU90289

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52818

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the drivers/gpu/drm/amd/include/pptable.h, drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory leak

EUVDB-ID: #VU96512

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44931

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the gpiochip_get_desc() function in drivers/gpio/gpiolib.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

EUVDB-ID: #VU90232

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-47103

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a use-after-free error within the inet6_sk_rx_dst_set(), tcp_v6_do_rcv() and tcp_v6_early_demux() functions in net/ipv6/tcp_ipv6.c, within the udp_sk_rx_dst_set(), __udp4_lib_rcv() and udp_v4_early_demux() functions in net/ipv4/udp.c, within the tcp_v4_do_rcv(), tcp_v4_early_demux(), tcp_prequeue() and inet_sk_rx_dst_set() functions in net/ipv4/tcp_ipv4.c, within the tcp_rcv_established() function in net/ipv4/tcp_input.c, within the tcp_disconnect() function in net/ipv4/tcp.c, within the inet_sock_destruct() function in net/ipv4/af_inet.c. A local user can send specially crafted packets to the system, trigger a use-after-free error and potentially execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Out-of-bounds read

EUVDB-ID: #VU90281

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52799

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the dbAllocCtl(), dbFindCtl(), dbAllocDmapLev(), dbAdjTree() and dbFindLeaf() functions in fs/jfs/jfs_dmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper locking

EUVDB-ID: #VU96540

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43893

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the uart_set_info() function in drivers/tty/serial/serial_core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Use-after-free

EUVDB-ID: #VU90049

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-36886

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a use-after-free error within the tipc_buf_append() function in net/tipc/msg.c when processing fragmented TIPC messages. A remote attacker can send specially crafted packets to the system, trigger a use-after-free error and execute arbitrary code on the system in the context of the kernel.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Out-of-bounds read

EUVDB-ID: #VU98910

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-49902

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the dbAdjTree() and dbFindLeaf() functions in fs/jfs/jfs_dmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Race condition

EUVDB-ID: #VU91463

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-36952

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the lpfc_vport_delete() function in drivers/scsi/lpfc/lpfc_vport.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) NULL pointer dereference

EUVDB-ID: #VU94256

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40911

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the cfg80211_get_station() function in net/wireless/util.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Input validation error

EUVDB-ID: #VU94144

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52488

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the sc16is7xx_fifo_read(), sc16is7xx_fifo_write() and sc16is7xx_regmap_precious() functions in drivers/tty/serial/sc16is7xx.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Out-of-bounds read

EUVDB-ID: #VU90309

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35896

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the do_replace() and compat_do_replace() functions in net/ipv6/netfilter/ip6_tables.c, within the do_replace() and compat_do_replace() functions in net/ipv4/netfilter/ip_tables.c, within the do_replace() and compat_do_replace() functions in net/ipv4/netfilter/arp_tables.c, within the do_replace(), update_counters() and compat_update_counters() functions in net/bridge/netfilter/ebtables.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) NULL pointer dereference

EUVDB-ID: #VU99818

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50117

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the amdgpu_atif_call() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Memory leak

EUVDB-ID: #VU100056

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50171

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the bcm_sysport_xmit() function in drivers/net/ethernet/broadcom/bcmsysport.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Improper locking

EUVDB-ID: #VU92356

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47606

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the netlink_sendmsg() function in net/netlink/af_netlink.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Memory leak

EUVDB-ID: #VU94203

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40910

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ax25_accept() function in net/ax25/af_ax25.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Race condition

EUVDB-ID: #VU96546

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43892

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the MEM_CGROUP_ID_MAX(), mem_cgroup_alloc() and mem_cgroup_css_online() functions in mm/memcontrol.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Resource management error

EUVDB-ID: #VU100087

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50148

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the bnep_init() function in net/bluetooth/bnep/core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Improper locking

EUVDB-ID: #VU94991

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41064

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the eeh_pe_bus_get() function in arch/powerpc/kernel/eeh_pe.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Out-of-bounds read

EUVDB-ID: #VU96550

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-44938

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the dbDiscardAG() function in fs/jfs/jfs_dmap.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Division by zero

EUVDB-ID: #VU100200

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50233

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a division by zero error within the ad9832_calc_freqreg() function in drivers/staging/iio/frequency/ad9832.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU89899

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-52880

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to missing permissions checks within the gsmld_open() function in drivers/tty/n_gsm.c. A local user with CAP_NET_ADMIN capability can create a GSM network.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Improper locking

EUVDB-ID: #VU96297

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-43863

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the vmw_fence_obj_destroy(), vmw_fence_obj_init() and vmw_fence_goal_new_locked() functions in drivers/gpu/drm/vmwgfx/vmwgfx_fence.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Race condition

EUVDB-ID: #VU91481

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26685

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the nilfs_segctor_prepare_write(), nilfs_abort_logs() and nilfs_segctor_complete_write() functions in fs/nilfs2/segment.c. A local user can escalate privileges on the system.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Improper locking

EUVDB-ID: #VU94269

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40981

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the batadv_purge_orig_ref() function in net/batman-adv/originator.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-4.4.0-1141-aws (Ubuntu package): before linux-image-aws

linux-image-4.4.0-266-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-266-generic (Ubuntu package): before Ubuntu Pro

linux-image-4.4.0-1179-aws (Ubuntu package): before Ubuntu Pro

linux-image-virtual-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic-lts-xenial (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-generic (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-virtual (Ubuntu package): before Ubuntu Pro (Infra-only)

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7332-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.