| CVE-2024-8178 |
BDSA-2024-6071 |
High |
Sep 05, 2024 |
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it.
Malicious software running i
more...
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2024-6387 |
|
High |
Jul 01, 2024 |
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals i
more...
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
less...
|
14.0.0
|
| CVE-2024-45287 |
BDSA-2024-6073 |
High |
Sep 05, 2024 |
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for
more...
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2024-45063 |
BDSA-2024-6064 |
High |
Sep 05, 2024 |
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing.
Malicious software
more...
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2024-43110 |
BDSA-2024-6075 |
High |
Sep 05, 2024 |
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.
Malicious software running in a guest VM that exposes v
more...
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2024-43102 |
BDSA-2024-6072 |
Critical |
Sep 05, 2024 |
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the ref
more...
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.
A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2024-42416 |
BDSA-2024-6060 |
High |
Sep 05, 2024 |
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount
more...
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2024-32668 |
BDSA-2024-6066 |
High |
Sep 05, 2024 |
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.
A malicious,
more...
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.
A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
less...
|
14.0.0, 13.1, 13.0
|
| CVE-2023-6660 |
BDSA-2023-3449 |
Medium |
Dec 13, 2023 |
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the da
more...
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication.
The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network.
Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem.
less...
|
14.0.0
|
| CVE-2023-6534 |
BDSA-2023-3451 |
High |
Dec 13, 2023 |
In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9,
more...
In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers. This could allow a malicious actor to execute a denial-of-service attack against hosts behind the firewall.
less...
|
14.0.0, 12.4
|