Exploit for Kernel Live Patch Security Notice LSN-0111-1 CVE-2022-0995 CVE-2024-26928 CVE-2024-35864 CVE-2024-50302 CVE-2024-53063 CVE-2024-56595 CVE-2024-56672 CVE-2024-57798

Name: Exploit for Kernel Live Patch Security Notice LSN-0111-1 CVE-2022-0995 CVE-2024-26928 CVE-2024-35864 CVE-2024-50302 CVE-2024-53063 CVE-2024-56595 CVE-2024-56672 CVE-2024-57798
Rating: 5 (142 reviews)
2025-04-17 | CVSS 7.8
## https://sploitus.com/exploit?id=PACKETSTORM:190557
Linux kernel vulnerabilities
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    -   Ubuntu 20.04 LTS
    -   Ubuntu 18.04 LTS
    -   Ubuntu 16.04 LTS
    -   Ubuntu 22.04 LTS
    -   Ubuntu 14.04 LTS
    
    Summary
    
    Several security issues were fixed in the kernel.
    
    Software Description
    
    -   linux - Linux kernel
    -   linux-aws - Linux kernel for Amazon Web Services (AWS) systems
    -   linux-azure - Linux kernel for Microsoft Azure Cloud systems
    -   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
    -   linux-gke - Linux kernel for Google Container Engine (GKE) systems
    -   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems
    -   linux-ibm - Linux kernel for IBM cloud systems
    -   linux-oracle - Linux kernel for Oracle Cloud systems
    
    Details
    
    It was discovered that the watch_queue event notification system
    contained an out-of-bounds write vulnerability. A local attacker could
    use this to cause a denial of service or escalate their privileges.
    (CVE-2022-0995)
    
    In the Linux kernel, the following vulnerability has been resolved: smb:
    client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions
    that are being teared down (status == SES_EXITING) to avoid UAF.
    (CVE-2024-26928)
    
    In the Linux kernel, the following vulnerability has been resolved: smb:
    client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions
    that are being teared down (status == SES_EXITING) to avoid UAF.
    (CVE-2024-35864)
    
    In the Linux kernel, the following vulnerability has been resolved: HID:
    core: zero-initialize the report buffer Since the report buffer is used
    by all kinds of drivers in various ways, let’s zero- initialize it
    during allocation to make sure that it can’t be ever used to leak kernel
    memory via specially-crafted report. (CVE-2024-50302)
    
    In the Linux kernel, the following vulnerability has been resolved:
    media: dvbdev: prevent the risk of out of memory access The dvbdev
    contains a static variable used to store dvb minors. The behavior of it
    depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set,
    dvb_register_device() won’t check for boundaries, as it will rely that a
    previous call to dvb_register_adapter() would already be enforcing it.
    On a similar way, dvb_device_open() uses the assumption that the
    register functions already did the needed checks. This can be fragile if
    some device ends using different calls. This also generate warnings on
    static check analysers like Coverity. So, add explicit guards to prevent
    potential risk of OOM issues. (CVE-2024-53063)
    
    In the Linux kernel, the following vulnerability has been resolved: jfs:
    add a check to prevent array-index-out-of-bounds in dbAdjTree When the
    value of lp is 0 at the beginning of the for loop, it will become
    negative in the next assignment and we should bail out. (CVE-2024-56595)
    
    In the Linux kernel, the following vulnerability has been resolved:
    blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks
    up the blkcg hierarchy putting the online pin. To walk up, it uses
    blkcg_parent(blkcg) but it was calling that after
    blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
    following UAF:
    ================================================================== BUG:
    KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of
    size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0
    PID: 117 Comm: kworker/9:1 Not tainted
    6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU
    Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue:
    cgwb_release cgwb_release_workfn Call Trace:
    dump_stack_lvl+0x27/0x80 print_report+0x151/0x710
    kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270
    cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20
    worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70
    ret_from_fork_asm+0x1a/0x30
    … Freed by task 1944: kasan_save_track+0x2b/0x70
    kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50
    kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30
    process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0
    kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30
    Note that the UAF is not easy to trigger as the free path is indirected
    behind a couple RCU grace periods and a work item execution. I could
    only trigger it with artifical msleep() injected in
    blkcg_unpin_online(). Fix it by reading the parent pointer before
    destroying the blkcg’s blkg’s. (CVE-2024-56672)
    
    In the Linux kernel, the following vulnerability has been resolved:
    drm/dp_mst: Ensure mst_primary pointer is valid in
    drm_dp_mst_handle_up_req() While receiving an MST up request message
    from one thread in drm_dp_mst_handle_up_req(), the MST topology could be
    removed from another thread via drm_dp_mst_topology_mgr_set_mst(false),
    freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to
    NULL. This could lead to a NULL deref/use-after-free of mst_primary in
    drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for
    mst_primary in drm_dp_mst_handle_up_req() while it’s used. v2: Fix
    kfreeing the request if getting an mst_primary reference fails.
    (CVE-2024-57798)
    
    Update instructions
    
    The problem can be corrected by updating your kernel livepatch to the
    following versions:
    
    Ubuntu 20.04 LTS
        aws - 111.1
        azure - 111.1
        gcp - 111.1
        generic - 111.1
        gkeop - 111.1
        ibm - 111.1
        lowlatency - 111.1
        oracle - 111.1
    
    Ubuntu 18.04 LTS
        aws - 111.1
        azure - 111.1
        gcp - 111.1
        generic - 111.1
        lowlatency - 111.1
        oracle - 111.1
    
    Ubuntu 16.04 LTS
        aws - 111.1
        azure - 111.1
        gcp - 111.1
        generic - 111.1
        lowlatency - 111.1
    
    Ubuntu 22.04 LTS
        aws - 111.1
        azure - 111.1
        gcp - 111.1
        generic - 111.1
        gke - 111.1
        ibm - 111.1
        oracle - 111.1
    
    Ubuntu 14.04 LTS
        generic - 111.1
        lowlatency - 111.1
    
    Support Information
    
    Livepatches for supported LTS kernels will receive upgrades for a period
    of up to 13 months after the build date of the kernel.
    
    Livepatches for supported HWE kernels which are not based on an LTS
    kernel version will receive upgrades for a period of up to 9 months
    after the build date of the kernel, or until the end of support for that
    kernel’s non-LTS distro release version, whichever is sooner.
    
    References
    
    -   CVE-2022-0995
    -   CVE-2024-26928
    -   CVE-2024-35864
    -   CVE-2024-50302
    -   CVE-2024-53063
    -   CVE-2024-56595
    -   CVE-2024-56672
    -   CVE-2024-57798