[
  {
    "threat_severity": "Low",
    "public_date": "2024-09-27T00:00:00Z",
    "bugzilla": {
      "description": "kernel: tracing/timerlat: Only clear timer if a kthread exists",
      "id": "2315197",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315197"
    },
    "cvss3": {
      "cvss3_base_score": "4.1",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "status": "draft"
    },
    "cwe": "CWE-416",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\ntracing/timerlat: Only clear timer if a kthread exists\nThe timerlat tracer can use user space threads to check for osnoise and\ntimer latency. If the program using this is killed via a SIGTERM, the\nthreads are shutdown one at a time and another tracing instance can start\nup resetting the threads before they are fully closed. That causes the\nhrtimer assigned to the kthread to be shutdown and freed twice when the\ndying thread finally closes the file descriptors, causing a use-after-free\nbug.\nOnly cancel the hrtimer if the associated thread is still around. Also add\nthe interface_lock around the resetting of the tlat_var->kthread.\nNote, this is just a quick fix that can be backported to stable. A real\nfix is to have a better synchronization between the shutdown of old\nthreads and the starting of new ones."
    ],
    "statement": "Only root user can enable this type of tracing. Even if enabled, the security impact is limited.",
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Fix deferred",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Fix deferred",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-46845\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46845\nhttps://lore.kernel.org/linux-cve-announce/2024092755-CVE-2024-46845-a529@gregkh/T"
    ],
    "name": "CVE-2024-46845",
    "mitigation": {
      "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
      "lang": "en:us"
    },
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-09-27T00:00:00Z",
    "bugzilla": {
      "description": "kernel: mptcp: pm: Fix uaf in __timer_delete_sync",
      "id": "2315210",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315210"
    },
    "cvss3": {
      "cvss3_base_score": "7.0",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "status": "verified"
    },
    "cwe": "CWE-416",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: pm: Fix uaf in __timer_delete_sync\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\nCPU1CPU2\n====                               ====\nnet_rx_action\nnapi_poll                          netlink_sendmsg\n__napi_poll                        netlink_unicast\nprocess_backlog                    netlink_unicast_kernel\n__netif_receive_skb                genl_rcv\n__netif_receive_skb_one_core       netlink_rcv_skb\nNF_HOOK                            genl_rcv_msg\nip_local_deliver_finish            genl_family_rcv_msg\nip_protocol_deliver_rcu            genl_family_rcv_msg_doit\ntcp_v4_rcv                         mptcp_pm_nl_flush_addrs_doit\ntcp_v4_do_rcv                      mptcp_nl_remove_addrs_list\ntcp_rcv_established                mptcp_pm_remove_addrs_and_subflows\ntcp_data_queue                     remove_anno_list_by_saddr\nmptcp_incoming_options             mptcp_pm_del_add_timer\nmptcp_pm_del_add_timer             kfree(entry)\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \"pm.lock\", the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \"entry->add_timer\".\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \"entry->x\" uaf.",
      "A use-after-free flaw was found in the Linux kernel’s Multipath TCP (MPTCP) subsystem. This flaw allows a local user to crash or potentially escalate their privileges on the system."
    ],
    "statement": "Actual only for latest version of Red Hat Enterprise Linux 9 and latest version of Red Hat Enterprise Linux 8.",
    "affected_release": [
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "release_date": "2024-11-26T00:00:00Z",
        "advisory": "RHSA-2024:10281",
        "cpe": "cpe:/o:redhat:enterprise_linux:8",
        "package": "kernel-0:4.18.0-553.30.1.el8_10"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
        "release_date": "2024-11-26T00:00:00Z",
        "advisory": "RHSA-2024:10265",
        "cpe": "cpe:/o:redhat:rhel_aus:8.4",
        "package": "kernel-0:4.18.0-305.145.1.el8_4"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
        "release_date": "2024-11-26T00:00:00Z",
        "advisory": "RHSA-2024:10265",
        "cpe": "cpe:/o:redhat:rhel_tus:8.4",
        "package": "kernel-0:4.18.0-305.145.1.el8_4"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
        "release_date": "2024-11-26T00:00:00Z",
        "advisory": "RHSA-2024:10265",
        "cpe": "cpe:/o:redhat:rhel_e4s:8.4",
        "package": "kernel-0:4.18.0-305.145.1.el8_4"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
        "release_date": "2024-11-13T00:00:00Z",
        "advisory": "RHSA-2024:9500",
        "cpe": "cpe:/o:redhat:rhel_aus:8.6",
        "package": "kernel-0:4.18.0-372.129.1.el8_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
        "release_date": "2024-11-13T00:00:00Z",
        "advisory": "RHSA-2024:9500",
        "cpe": "cpe:/o:redhat:rhel_tus:8.6",
        "package": "kernel-0:4.18.0-372.129.1.el8_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
        "release_date": "2024-11-13T00:00:00Z",
        "advisory": "RHSA-2024:9500",
        "cpe": "cpe:/o:redhat:rhel_e4s:8.6",
        "package": "kernel-0:4.18.0-372.129.1.el8_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support",
        "release_date": "2024-11-26T00:00:00Z",
        "advisory": "RHSA-2024:10262",
        "cpe": "cpe:/o:redhat:rhel_eus:8.8",
        "package": "kernel-0:4.18.0-477.81.1.el8_8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2024-11-14T00:00:00Z",
        "advisory": "RHSA-2024:9605",
        "cpe": "cpe:/a:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-503.14.1.el9_5"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2024-11-14T00:00:00Z",
        "advisory": "RHSA-2024:9605",
        "cpe": "cpe:/o:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-503.14.1.el9_5"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
        "release_date": "2024-11-19T00:00:00Z",
        "advisory": "RHSA-2024:9942",
        "cpe": "cpe:/a:redhat:rhel_e4s:9.0",
        "package": "kernel-0:5.14.0-70.121.1.el9_0"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
        "release_date": "2024-11-19T00:00:00Z",
        "advisory": "RHSA-2024:9943",
        "cpe": "cpe:/a:redhat:rhel_e4s:9.0::nfv",
        "package": "kernel-rt-0:5.14.0-70.121.1.rt21.193.el9_0"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support",
        "release_date": "2024-11-13T00:00:00Z",
        "advisory": "RHSA-2024:9497",
        "cpe": "cpe:/a:redhat:rhel_eus:9.2",
        "package": "kernel-0:5.14.0-284.92.1.el9_2"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support",
        "release_date": "2024-11-13T00:00:00Z",
        "advisory": "RHSA-2024:9498",
        "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv",
        "package": "kernel-rt-0:5.14.0-284.92.1.rt14.377.el9_2"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support",
        "release_date": "2024-11-13T00:00:00Z",
        "advisory": "RHSA-2024:9546",
        "cpe": "cpe:/a:redhat:rhel_eus:9.4",
        "package": "kernel-0:5.14.0-427.44.1.el9_4"
      }
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-46858\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46858\nhttps://lore.kernel.org/linux-cve-announce/2024092744-CVE-2024-46858-dab6@gregkh/T"
    ],
    "name": "CVE-2024-46858",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-10-21T00:00:00Z",
    "bugzilla": {
      "description": "kernel: firmware_loader: Block path traversal",
      "id": "2320202",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320202"
    },
    "cvss3": {
      "cvss3_base_score": "7.8",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "status": "draft"
    },
    "cwe": "CWE-22",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\nfirmware_loader: Block path traversal\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n- lpfc_sli4_request_firmware_update() seems to construct the firmware\nfilename from \"ModelName\", a string that was previously parsed out of\nsome descriptor (\"Vital Product Data\") in lpfc_fill_vpd()\n- nfp_net_fw_find() seems to construct a firmware filename from a model\nname coming from nfp_hwinfo_lookup(pf->hwinfo, \"nffw.partno\"), which I\nthink parses some descriptor that was read from the device.\n(But this case likely isn't exploitable because the format string looks\nlike \"netronome/nic_%s\", and there shouldn't be any *folders* starting\nwith \"netronome/nic_\". The previous case was different because there,\nthe \"%s\" is *at the start* of the format string.)\n- module_flash_fw_schedule() is reachable from the\nETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\nGENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\nenough to pass the privilege check), and takes a userspace-provided\nfirmware name.\n(But I think to reach this case, you need to have CAP_NET_ADMIN over a\nnetwork namespace that a special kind of ethernet device is mapped into,\nso I think this is not a viable attack path in practice.)\nFix it by rejecting any firmware names containing \"..\" path components.\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously."
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-47742\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47742\nhttps://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47742-b72d@gregkh/T"
    ],
    "name": "CVE-2024-47742",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-10-21T00:00:00Z",
    "bugzilla": {
      "description": "kernel: driver core: bus: Fix double free in driver API bus_register()",
      "id": "2320615",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320615"
    },
    "cvss3": {
      "cvss3_base_score": "6.7",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "status": "verified"
    },
    "cwe": "CWE-415",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\ndriver core: bus: Fix double free in driver API bus_register()\nFor bus_register(), any error which happens after kset_register() will\ncause that @priv are freed twice, fixed by setting @priv with NULL after\nthe first free."
    ],
    "statement": "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).",
    "affected_release": [
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-05-13T00:00:00Z",
        "advisory": "RHSA-2025:6966",
        "cpe": "cpe:/a:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-570.12.1.el9_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-05-13T00:00:00Z",
        "advisory": "RHSA-2025:6966",
        "cpe": "cpe:/o:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-570.12.1.el9_6"
      }
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Will not fix",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Will not fix",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Will not fix",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-50055\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50055\nhttps://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50055-7d1f@gregkh/T"
    ],
    "name": "CVE-2024-50055",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-10-23T00:00:00Z",
    "bugzilla": {
      "description": "kernel: mm/mremap: fix move_normal_pmd/retract_page_tables race",
      "id": "2321460",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321460"
    },
    "cvss3": {
      "cvss3_base_score": "7.1",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "status": "draft"
    },
    "cwe": "CWE-362",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\nmm/mremap: fix move_normal_pmd/retract_page_tables race\nIn mremap(), move_page_tables() looks at the type of the PMD entry and the\nspecified address range to figure out by which method the next chunk of\npage table entries should be moved.\nAt that point, the mmap_lock is held in write mode, but no rmap locks are\nheld yet.  For PMD entries that point to page tables and are fully covered\nby the source address range, move_pgt_entry(NORMAL_PMD, ...) is called,\nwhich first takes rmap locks, then does move_normal_pmd(). \nmove_normal_pmd() takes the necessary page table locks at source and\ndestination, then moves an entire page table from the source to the\ndestination.\nThe problem is: The rmap locks, which protect against concurrent page\ntable removal by retract_page_tables() in the THP code, are only taken\nafter the PMD entry has been read and it has been decided how to move it. \nSo we can race as follows (with two processes that have mappings of the\nsame tmpfs file that is stored on a tmpfs mount with huge=advise); note\nthat process A accesses page tables through the MM while process B does it\nthrough the file rmap:\nprocess A                      process B\n=========                      =========\nmremap\nmremap_to\nmove_vma\nmove_page_tables\nget_old_pmd\nalloc_new_pmd\n*** PREEMPT ***\nmadvise(MADV_COLLAPSE)\ndo_madvise\nmadvise_walk_vmas\nmadvise_vma_behavior\nmadvise_collapse\nhpage_collapse_scan_file\ncollapse_file\nretract_page_tables\ni_mmap_lock_read(mapping)\npmdp_collapse_flush\ni_mmap_unlock_read(mapping)\nmove_pgt_entry(NORMAL_PMD, ...)\ntake_rmap_locks\nmove_normal_pmd\ndrop_rmap_locks\nWhen this happens, move_normal_pmd() can end up creating bogus PMD entries\nin the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`.  The effect\ndepends on arch-specific and machine-specific details; on x86, you can end\nup with physical page 0 mapped as a page table, which is likely\nexploitable for user->kernel privilege escalation.\nFix the race by letting process B recheck that the PMD still points to a\npage table after the rmap locks have been taken.  Otherwise, we bail and\nlet the caller fall back to the PTE-level copying path, which will then\nbail immediately at the pmd_none() check.\nBug reachability: Reaching this bug requires that you can create\nshmem/file THP mappings - anonymous THP uses different code that doesn't\nzap stuff under rmap locks.  File THP is gated on an experimental config\nflag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need\nshmem THP to hit this bug.  As far as I know, getting shmem THP normally\nrequires that you can mount your own tmpfs with the right mount flags,\nwhich would require creating your own user+mount namespace; though I don't\nknow if some distros maybe enable shmem THP by default or something like\nthat.\nBug impact: This issue can likely be used for user->kernel privilege\nescalation when it is reachable."
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-50066\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50066\nhttps://lore.kernel.org/linux-cve-announce/2024102340-CVE-2024-50066-7803@gregkh/T"
    ],
    "name": "CVE-2024-50066",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-10-29T00:00:00Z",
    "bugzilla": {
      "description": "kernel: tcp: fix mptcp DSS corruption due to large pmtu xmit",
      "id": "2322311",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322311"
    },
    "cvss3": {
      "cvss3_base_score": "7.1",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "status": "draft"
    },
    "cwe": "CWE-130",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\ntcp: fix mptcp DSS corruption due to large pmtu xmit\nSyzkaller was able to trigger a DSS corruption:\nTCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies.\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695\nModules linked in:\nCPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695\nCode: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff\nRSP: 0018:ffffc90000006db8 EFLAGS: 00010246\nRAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00\nRDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0\nRBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8\nR10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000\nR13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5\nFS:  000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<IRQ>\nmove_skbs_to_msk net/mptcp/protocol.c:811 [inline]\nmptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854\nsubflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490\ntcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283\ntcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237\ntcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915\ntcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350\nip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205\nip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233\nNF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\nNF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n__netif_receive_skb_one_core net/core/dev.c:5662 [inline]\n__netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775\nprocess_backlog+0x662/0x15b0 net/core/dev.c:6107\n__napi_poll+0xcb/0x490 net/core/dev.c:6771\nnapi_poll net/core/dev.c:6840 [inline]\nnet_rx_action+0x89b/0x1240 net/core/dev.c:6962\nhandle_softirqs+0x2c5/0x980 kernel/softirq.c:554\ndo_softirq+0x11b/0x1e0 kernel/softirq.c:455\n</IRQ>\n<TASK>\n__local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382\nlocal_bh_enable include/linux/bottom_half.h:33 [inline]\nrcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n__dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451\ndev_queue_xmit include/linux/netdevice.h:3094 [inline]\nneigh_hh_output include/net/neighbour.h:526 [inline]\nneigh_output include/net/neighbour.h:540 [inline]\nip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236\nip_local_out net/ipv4/ip_output.c:130 [inline]\n__ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536\n__tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466\ntcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\ntcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline]\ntcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752\n__tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015\ntcp_push_pending_frames include/net/tcp.h:2107 [inline]\ntcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline]\ntcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239\ntcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915\nsk_backlog_rcv include/net/sock.h:1113 [inline]\n__release_sock+0x214/0x350 net/core/sock.c:3072\nrelease_sock+0x61/0x1f0 net/core/sock.c:3626\nmptcp_push_\n---truncated---"
    ],
    "statement": "This seems to be a corruption and availability in the TCP protocol and its connection.",
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Will not fix",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Will not fix",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Will not fix",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Will not fix",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-50083\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50083\nhttps://lore.kernel.org/linux-cve-announce/2024102937-CVE-2024-50083-539c@gregkh/T"
    ],
    "name": "CVE-2024-50083",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-12-27T00:00:00Z",
    "bugzilla": {
      "description": "kernel: net: avoid potential UAF in default_operstate()",
      "id": "2334570",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334570"
    },
    "cvss3": {
      "cvss3_base_score": "7.0",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "status": "draft"
    },
    "cwe": "CWE-416",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\nnet: avoid potential UAF in default_operstate()\nsyzbot reported an UAF in default_operstate() [1]\nIssue is a race between device and netns dismantles.\nAfter calling __rtnl_unlock() from netdev_run_todo(),\nwe can not assume the netns of each device is still alive.\nMake sure the device is not in NETREG_UNREGISTERED state,\nand add an ASSERT_RTNL() before the call to\n__dev_get_by_index().\nWe might move this ASSERT_RTNL() in __dev_get_by_index()\nin the future.\n[1]\nBUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852\nRead of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339\nCPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:489\nkasan_report+0x143/0x180 mm/kasan/report.c:602\n__dev_get_by_index+0x5d/0x110 net/core/dev.c:852\ndefault_operstate net/core/link_watch.c:51 [inline]\nrfc2863_policy+0x224/0x300 net/core/link_watch.c:67\nlinkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170\nnetdev_run_todo+0x461/0x1000 net/core/dev.c:10894\nrtnl_unlock net/core/rtnetlink.c:152 [inline]\nrtnl_net_unlock include/linux/rtnetlink.h:133 [inline]\nrtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520\nrtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911\nnetlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541\nnetlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\nnetlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\nnetlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\nsock_sendmsg_nosec net/socket.c:711 [inline]\n__sock_sendmsg+0x221/0x270 net/socket.c:726\n____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n___sys_sendmsg net/socket.c:2637 [inline]\n__sys_sendmsg+0x269/0x350 net/socket.c:2669\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2a3cb80809\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809\nRDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008\nRBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8\n</TASK>\nAllocated by task 5339:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314\nkmalloc_noprof include/linux/slab.h:901 [inline]\nkmalloc_array_noprof include/linux/slab.h:945 [inline]\nnetdev_create_hash net/core/dev.c:11870 [inline]\nnetdev_init+0x10c/0x250 net/core/dev.c:11890\nops_init+0x31e/0x590 net/core/net_namespace.c:138\nsetup_net+0x287/0x9e0 net/core/net_namespace.c:362\ncopy_net_ns+0x33f/0x570 net/core/net_namespace.c:500\ncreate_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110\nunshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228\nksys_unshare+0x57d/0xa70 kernel/fork.c:3314\n__do_sys_unshare kernel/fork.c:3385 [inline]\n__se_sys_unshare kernel/fork.c:3383 [inline]\n__x64_sys_unshare+0x38/0x40 kernel/fork.c:3383\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x8\n---truncated---"
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-56635\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56635\nhttps://lore.kernel.org/linux-cve-announce/2024122734-CVE-2024-56635-3014@gregkh/T"
    ],
    "name": "CVE-2024-56635",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-12-27T00:00:00Z",
    "bugzilla": {
      "description": "kernel: blk-cgroup: Fix UAF in blkcg_unpin_online()",
      "id": "2334537",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334537"
    },
    "cvss3": {
      "cvss3_base_score": "6.4",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "status": "verified"
    },
    "cwe": "CWE-416",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\nblk-cgroup: Fix UAF in blkcg_unpin_online()\nblkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To\nwalk up, it uses blkcg_parent(blkcg) but it was calling that after\nblkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the\nfollowing UAF:\n==================================================================\nBUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270\nRead of size 8 at addr ffff8881057678c0 by task kworker/9:1/117\nCPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022\nWorkqueue: cgwb_release cgwb_release_workfn\nCall Trace:\n<TASK>\ndump_stack_lvl+0x27/0x80\nprint_report+0x151/0x710\nkasan_report+0xc0/0x100\nblkcg_unpin_online+0x15a/0x270\ncgwb_release_workfn+0x194/0x480\nprocess_scheduled_works+0x71b/0xe20\nworker_thread+0x82a/0xbd0\nkthread+0x242/0x2c0\nret_from_fork+0x33/0x70\nret_from_fork_asm+0x1a/0x30\n</TASK>\n...\nFreed by task 1944:\nkasan_save_track+0x2b/0x70\nkasan_save_free_info+0x3c/0x50\n__kasan_slab_free+0x33/0x50\nkfree+0x10c/0x330\ncss_free_rwork_fn+0xe6/0xb30\nprocess_scheduled_works+0x71b/0xe20\nworker_thread+0x82a/0xbd0\nkthread+0x242/0x2c0\nret_from_fork+0x33/0x70\nret_from_fork_asm+0x1a/0x30\nNote that the UAF is not easy to trigger as the free path is indirected\nbehind a couple RCU grace periods and a work item execution. I could only\ntrigger it with artifical msleep() injected in blkcg_unpin_online().\nFix it by reading the parent pointer before destroying the blkcg's blkg's."
    ],
    "statement": "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).",
    "affected_release": [
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20518",
        "cpe": "cpe:/a:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-611.5.1.el9_7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20518",
        "cpe": "cpe:/o:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-611.5.1.el9_7"
      }
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 10",
        "fix_state": "Affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:10"
      },
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-56672\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56672\nhttps://lore.kernel.org/linux-cve-announce/2024122755-CVE-2024-56672-8d29@gregkh/T"
    ],
    "name": "CVE-2024-56672",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2024-12-27T00:00:00Z",
    "bugzilla": {
      "description": "kernel: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors",
      "id": "2334548",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334548"
    },
    "cvss3": {
      "cvss3_base_score": "6.7",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "status": "verified"
    },
    "cwe": "CWE-416",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors\nUprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU\nprotection. But it is possible to attach a non-sleepable BPF program to a\nuprobe, and non-sleepable BPF programs are freed via normal RCU (see\n__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal\nRCU grace period does not imply a tasks-trace-RCU grace period.\nFix it by explicitly waiting for a tasks-trace-RCU grace period after\nremoving the attachment of a bpf_prog to a perf_event."
    ],
    "statement": "The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.\nFor the Red Hat Enterprise Linux 9 to confirm the current state, inspect the sysctl with the command:\ncat /proc/sys/kernel/unprivileged_bpf_disabled\nThe setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.",
    "affected_release": [
      {
        "product_name": "Red Hat Enterprise Linux 10",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20095",
        "cpe": "cpe:/o:redhat:enterprise_linux:10.1",
        "package": "kernel-0:6.12.0-124.8.1.el10_1"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20518",
        "cpe": "cpe:/a:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-611.5.1.el9_7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20518",
        "cpe": "cpe:/o:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-611.5.1.el9_7"
      }
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Out of support scope",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2024-56675\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56675\nhttps://lore.kernel.org/linux-cve-announce/2024122756-CVE-2024-56675-e996@gregkh/T"
    ],
    "name": "CVE-2024-56675",
    "csaw": false
  },
  {
    "threat_severity": "Moderate",
    "public_date": "2025-02-27T00:00:00Z",
    "bugzilla": {
      "description": "kernel: padata: fix UAF in padata_reorder",
      "id": "2348516",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348516"
    },
    "cvss3": {
      "cvss3_base_score": "7.0",
      "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "status": "verified"
    },
    "cwe": "CWE-820",
    "details": [
      "In the Linux kernel, the following vulnerability has been resolved:\npadata: fix UAF in padata_reorder\nA bug was found when run ltp test:\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n<TASK>\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\nIf 'mdelay(10)' is added before calling 'padata_find_next' in the\n'padata_reorder' function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\nThis can be explained as bellow:\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(&pd->refcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_workercrypto_del_alg\npadata_put_pd_cnt // sub refcnt\npadata_free_shell\npadata_put_pd(ps->pd);\n// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\nIn the padata_reorder function, when it loops in 'while', if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n'padata_find_next', which leads to UAF.\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls\nto finish.\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/",
      "A use-after-free vulnerability was found in the Linux kernel's padata subsystem, in the `padata_reorder()` function. Caused by improper synchronization controls, this vulnerability can occur when a reference-counted data structure (`pd`) is decremented in one thread, freeing it, while another thread still holds a pointer to it and attempts to access it via `padata_find_next()`. This vulnerability can lead to system instability, denial of service, and potential privilege escalation."
    ],
    "affected_release": [
      {
        "product_name": "Red Hat Enterprise Linux 10",
        "release_date": "2025-08-04T00:00:00Z",
        "advisory": "RHSA-2025:12662",
        "cpe": "cpe:/o:redhat:enterprise_linux:10.0",
        "package": "kernel-0:6.12.0-55.25.1.el10_0"
      },
      {
        "product_name": "Red Hat Enterprise Linux 10",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20095",
        "cpe": "cpe:/o:redhat:enterprise_linux:10.1",
        "package": "kernel-0:6.12.0-124.8.1.el10_1"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "release_date": "2025-08-11T00:00:00Z",
        "advisory": "RHSA-2025:13590",
        "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv",
        "package": "kernel-rt-0:4.18.0-553.69.1.rt7.410.el8_10"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "release_date": "2020-11-04T00:00:00Z",
        "advisory": "RHSA-2020:4431",
        "cpe": "cpe:/o:redhat:enterprise_linux:8",
        "package": "kernel-0:4.18.0-240.el8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8",
        "release_date": "2025-08-11T00:00:00Z",
        "advisory": "RHSA-2025:13589",
        "cpe": "cpe:/o:redhat:enterprise_linux:8",
        "package": "kernel-0:4.18.0-553.69.1.el8_10"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
        "release_date": "2025-09-02T00:00:00Z",
        "advisory": "RHSA-2025:15035",
        "cpe": "cpe:/o:redhat:rhel_aus:8.4",
        "package": "kernel-0:4.18.0-305.170.1.el8_4"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
        "release_date": "2025-09-02T00:00:00Z",
        "advisory": "RHSA-2025:15035",
        "cpe": "cpe:/o:redhat:rhel_eus_long_life:8.4",
        "package": "kernel-0:4.18.0-305.170.1.el8_4"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
        "release_date": "2025-08-13T00:00:00Z",
        "advisory": "RHSA-2025:13776",
        "cpe": "cpe:/o:redhat:rhel_aus:8.6",
        "package": "kernel-0:4.18.0-372.157.1.el8_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
        "release_date": "2025-08-13T00:00:00Z",
        "advisory": "RHSA-2025:13776",
        "cpe": "cpe:/o:redhat:rhel_tus:8.6",
        "package": "kernel-0:4.18.0-372.157.1.el8_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
        "release_date": "2025-08-13T00:00:00Z",
        "advisory": "RHSA-2025:13776",
        "cpe": "cpe:/o:redhat:rhel_e4s:8.6",
        "package": "kernel-0:4.18.0-372.157.1.el8_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
        "release_date": "2025-08-05T00:00:00Z",
        "advisory": "RHSA-2025:13061",
        "cpe": "cpe:/o:redhat:rhel_tus:8.8",
        "package": "kernel-0:4.18.0-477.104.1.el8_8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
        "release_date": "2025-08-05T00:00:00Z",
        "advisory": "RHSA-2025:13061",
        "cpe": "cpe:/o:redhat:rhel_e4s:8.8",
        "package": "kernel-0:4.18.0-477.104.1.el8_8"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-08-04T00:00:00Z",
        "advisory": "RHSA-2025:12746",
        "cpe": "cpe:/a:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-570.32.1.el9_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20518",
        "cpe": "cpe:/a:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-611.5.1.el9_7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-08-04T00:00:00Z",
        "advisory": "RHSA-2025:12746",
        "cpe": "cpe:/o:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-570.32.1.el9_6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "release_date": "2025-11-11T00:00:00Z",
        "advisory": "RHSA-2025:20518",
        "cpe": "cpe:/o:redhat:enterprise_linux:9",
        "package": "kernel-0:5.14.0-611.5.1.el9_7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
        "release_date": "2025-08-19T00:00:00Z",
        "advisory": "RHSA-2025:14054",
        "cpe": "cpe:/a:redhat:rhel_e4s:9.0",
        "package": "kernel-0:5.14.0-70.142.1.el9_0"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
        "release_date": "2025-08-19T00:00:00Z",
        "advisory": "RHSA-2025:14094",
        "cpe": "cpe:/a:redhat:rhel_e4s:9.0::nfv",
        "package": "kernel-rt-0:5.14.0-70.142.1.rt21.214.el9_0"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
        "release_date": "2025-08-13T00:00:00Z",
        "advisory": "RHSA-2025:13781",
        "cpe": "cpe:/a:redhat:rhel_e4s:9.2",
        "package": "kernel-0:5.14.0-284.130.1.el9_2"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
        "release_date": "2025-08-11T00:00:00Z",
        "advisory": "RHSA-2025:13633",
        "cpe": "cpe:/a:redhat:rhel_e4s:9.2::nfv",
        "package": "kernel-rt-0:5.14.0-284.130.1.rt14.415.el9_2"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support",
        "release_date": "2025-08-06T00:00:00Z",
        "advisory": "RHSA-2025:13135",
        "cpe": "cpe:/a:redhat:rhel_eus:9.4",
        "package": "kernel-0:5.14.0-427.81.1.el9_4"
      }
    ],
    "package_state": [
      {
        "product_name": "Red Hat Enterprise Linux 6",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:6"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Not affected",
        "package_name": "kernel",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 7",
        "fix_state": "Not affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:7"
      },
      {
        "product_name": "Red Hat Enterprise Linux 9",
        "fix_state": "Affected",
        "package_name": "kernel-rt",
        "cpe": "cpe:/o:redhat:enterprise_linux:9"
      }
    ],
    "references": [
      "https://www.cve.org/CVERecord?id=CVE-2025-21727\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21727\nhttps://lore.kernel.org/linux-cve-announce/2025022648-CVE-2025-21727-b034@gregkh/T"
    ],
    "name": "CVE-2025-21727",
    "csaw": false
  }
]