Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by CWE-416
Total 6246 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-49027 1 Microsoft 4 365 Apps, Excel, Office and 1 more 2024-11-16 N/A 7.8 HIGH
Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-43625 1 Microsoft 6 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 3 more 2024-11-15 N/A 8.1 HIGH
Microsoft Windows VMSwitch Elevation of Privilege Vulnerability
CVE-2024-8376 1 Eclipse 1 Mosquitto 2024-11-15 N/A 7.5 HIGH
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
CVE-2024-49016 1 Microsoft 3 Sql Server 2016, Sql Server 2017, Sql Server 2019 2024-11-15 N/A 8.8 HIGH
SQL Server Native Client Remote Code Execution Vulnerability
CVE-2024-49021 1 Microsoft 4 Sql Server 2016, Sql Server 2017, Sql Server 2019 and 1 more 2024-11-15 N/A 7.8 HIGH
Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2024-49003 1 Microsoft 3 Sql Server 2016, Sql Server 2017, Sql Server 2019 2024-11-15 N/A 8.8 HIGH
SQL Server Native Client Remote Code Execution Vulnerability
CVE-2024-40885 2024-11-15 N/A 6.4 MEDIUM
Use after free in the UEFI firmware of some Intel(R) Server M20NTP BIOS may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-50027 1 Linux 1 Linux Kernel 2024-11-08 N/A 5.5 MEDIUM
In the Linux kernel, the following vulnerability has been resolved: thermal: core: Free tzp copy along with the thermal zone The object pointed to by tz->tzp may still be accessed after being freed in thermal_zone_device_unregister(), so move the freeing of it to the point after the removal completion has been completed at which it cannot be accessed any more.
CVE-2023-52913 1 Linux 1 Linux Kernel 2024-11-08 N/A 5.5 MEDIUM
In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential context UAFs gem_context_register() makes the context visible to userspace, and which point a separate thread can trigger the I915_GEM_CONTEXT_DESTROY ioctl. So we need to ensure that nothing uses the ctx ptr after this. And we need to ensure that adding the ctx to the xarray is the *last* thing that gem_context_register() does with the ctx pointer. [tursulin: Stable and fixes tags add/tidy.] (cherry picked from commit bed4b455cf5374e68879be56971c1da563bcd90c)
CVE-2024-33068 1 Qualcomm 244 Ar8035, Ar8035 Firmware, Fastconnect 6900 and 241 more 2024-11-07 N/A 7.5 HIGH
Transient DOS while parsing fragments of MBSSID IE from beacon frame.
CVE-2024-33029 1 Qualcomm 6 Qca6584au, Qca6584au Firmware, Qca6698aq and 3 more 2024-11-07 N/A 6.7 MEDIUM
Memory corruption while handling the PDR in driver for getting the remote heap maps.
CVE-2024-38424 1 Qualcomm 238 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 235 more 2024-11-07 N/A 7.8 HIGH
Memory corruption during GNSS HAL process initialization.
CVE-2024-38421 1 Qualcomm 154 Fastconnect 6200, Fastconnect 6200 Firmware, Fastconnect 7800 and 151 more 2024-11-07 N/A 7.8 HIGH
Memory corruption while processing GPU commands.
CVE-2024-38419 1 Qualcomm 296 Ar8035, Ar8035 Firmware, Csra6620 and 293 more 2024-11-07 N/A 7.8 HIGH
Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.
CVE-2024-38415 1 Qualcomm 356 215 Mobile Platform, 215 Mobile Platform Firmware, Ar8035 and 353 more 2024-11-07 N/A 7.8 HIGH
Memory corruption while handling session errors from firmware.
CVE-2024-33033 1 Qualcomm 56 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 53 more 2024-11-07 N/A 6.7 MEDIUM
Memory corruption while processing IOCTL calls to unmap the buffers.
CVE-2022-48991 1 Linux 1 Linux Kernel 2024-11-07 N/A 7.8 HIGH
In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free. I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables.
CVE-2024-50005 1 Linux 1 Linux Kernel 2024-11-07 N/A 7.8 HIGH
In the Linux kernel, the following vulnerability has been resolved: mac802154: Fix potential RCU dereference issue in mac802154_scan_worker In the `mac802154_scan_worker` function, the `scan_req->type` field was accessed after the RCU read-side critical section was unlocked. According to RCU usage rules, this is illegal and can lead to unpredictable behavior, such as accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the `scan_req->type` value is now stored in a local variable `scan_req_type` while still within the RCU read-side critical section. The `scan_req_type` is then used after the RCU lock is released, ensuring that the type value is safely accessed without violating RCU rules.
CVE-2022-49006 1 Linux 1 Linux Kernel 2024-11-04 N/A 7.8 HIGH
In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="��������������������������������������� ---truncated---
CVE-2022-48988 1 Linux 1 Linux Kernel 2024-11-01 N/A 7.0 HIGH
In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.