Add new batch of CVEs

Fixup for fix in earlier versions as 6.6.15-1 and one N/A as vulnerable
code was only introduced in 6.7 series.

22 files changed, 351 insertions, 0 deletions

diff --git a/active/CVE-2023-52609 b/active/CVE-2023-52609
new file mode 100644
index 00000000..c9d98235
--- /dev/null
+++ b/active/CVE-2023-52609
@@ -0,0 +1,16 @@
+Description: binder: fix race between mmput() and do_exit()
+References:
+Notes:
+ carnil> Introduced in 457b9a6f09f0 ("Staging: android: add binder driver"). Vulnerable
+ carnil> versions: 2.6.29-rc1.
+Bugs:
+upstream: released (6.8-rc1) [9a9ab0d963621d9d12199df9817e66982582d5a5]
+6.7-upstream-stable: released (6.7.2) [77d210e8db4d61d43b2d16df66b1ec46fad2ee01]
+6.6-upstream-stable: released (6.6.14) [67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e]
+6.1-upstream-stable: released (6.1.75) [6696f76c32ff67fec26823fc2df46498e70d9bf3]
+5.10-upstream-stable: released (5.10.209) [7e7a0d86542b0ea903006d3f42f33c4f7ead6918]
+4.19-upstream-stable: released (4.19.306) [95b1d336b0642198b56836b89908d07b9a0c9608]
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: released (5.10.209-1)
+4.19-buster-security: needed
diff --git a/active/CVE-2023-52610 b/active/CVE-2023-52610
new file mode 100644
index 00000000..9c806ea3
--- /dev/null
+++ b/active/CVE-2023-52610
@@ -0,0 +1,16 @@
+Description: net/sched: act_ct: fix skb leak and crash on ooo frags
+References:
+Notes:
+ carnil> Introduced in b57dc7c13ea9 ("net/sched: Introduce action ct"). Vulnerable
+ carnil> versions: 5.3-rc1.
+Bugs:
+upstream: released (6.8-rc1) [3f14b377d01d8357eba032b4cabc8c1149b458b6]
+6.7-upstream-stable: released (6.7.2) [f5346df0591d10bc948761ca854b1fae6d2ef441]
+6.6-upstream-stable: released (6.6.14) [73f7da5fd124f2cda9161e2e46114915e6e82e97]
+6.1-upstream-stable: released (6.1.75) [0b5b831122fc3789fff75be433ba3e4dd7b779d4]
+5.10-upstream-stable: needed
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: needed
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2023-52611 b/active/CVE-2023-52611
new file mode 100644
index 00000000..b51090d9
--- /dev/null
+++ b/active/CVE-2023-52611
@@ -0,0 +1,16 @@
+Description: wifi: rtw88: sdio: Honor the host max_req_size in the RX path
+References:
+Notes:
+ carnil> Introduced in 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO
+ carnil> based chipsets"). Vulnerable versions: 6.4-rc1.
+Bugs:
+upstream: released (6.8-rc1) [00384f565a91c08c4bedae167f749b093d10e3fe]
+6.7-upstream-stable: released (6.7.2) [0e9ffff72a0674cd6656314dbd99cdd2123a3030]
+6.6-upstream-stable: released (6.6.14) [5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7]
+6.1-upstream-stable: N/A "Vulnerable code not present"
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: N/A "Vulnerable code not present"
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2023-52612 b/active/CVE-2023-52612
new file mode 100644
index 00000000..e6d41177
--- /dev/null
+++ b/active/CVE-2023-52612
@@ -0,0 +1,16 @@
+Description: crypto: scomp - fix req->dst buffer overflow
+References:
+Notes:
+ carnil> Introduced in 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface").
+ carnil> Vulnerable versions: 4.10-rc1.
+Bugs:
+upstream: released (6.8-rc1) [744e1885922a9943458954cfea917b31064b4131]
+6.7-upstream-stable: released (6.7.2) [71c6670f9f032ec67d8f4e3f8db4646bf5a62883]
+6.6-upstream-stable: released (6.6.14) [7d9e5bed036a7f9e2062a137e97e3c1e77fb8759]
+6.1-upstream-stable: released (6.1.75) [4df0c942d04a67df174195ad8082f6e30e7f71a5]
+5.10-upstream-stable: released (5.10.209) [4518dc468cdd796757190515a9be7408adc8911e]
+4.19-upstream-stable: released (4.19.306) [1142d65c5b881590962ad763f94505b6dd67d2fe]
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: released (5.10.209-1)
+4.19-buster-security: needed
diff --git a/active/CVE-2023-52613 b/active/CVE-2023-52613
new file mode 100644
index 00000000..7743cf66
--- /dev/null
+++ b/active/CVE-2023-52613
@@ -0,0 +1,16 @@
+Description: drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment
+References:
+Notes:
+ carnil> Introduced in e7e3a7c35791 ("thermal/drivers/loongson-2: Add thermal management
+ carnil> support"). Vulnerable versions: 6.6-rc1.
+Bugs:
+upstream: released (6.8-rc1) [15ef92e9c41124ee9d88b01208364f3fe1f45f84]
+6.7-upstream-stable: released (6.7.2) [6010a9fc14eb1feab5cafd84422001134fe8ec58]
+6.6-upstream-stable: released (6.6.14) [70481755ed77400e783200e2d022e5fea16060ce]
+6.1-upstream-stable: N/A "Vulnerable code not present"
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: N/A "Vulnerable code not present"
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2023-52614 b/active/CVE-2023-52614
new file mode 100644
index 00000000..c74f8aed
--- /dev/null
+++ b/active/CVE-2023-52614
@@ -0,0 +1,16 @@
+Description: PM / devfreq: Fix buffer overflow in trans_stat_show
+References:
+Notes:
+ carnil> Introduced in e552bbaf5b98 ("PM / devfreq: Add sysfs node for representing
+ carnil> frequency transition information."). Vulnerable versions: 3.8-rc1.
+Bugs:
+upstream: released (6.8-rc1) [08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4]
+6.7-upstream-stable: released (6.7.3) [eaef4650fa2050147ca25fd7ee43bc0082e03c87]
+6.6-upstream-stable: released (6.6.15) [a979f56aa4b93579cf0e4265ae04d7e9300fd3e8]
+6.1-upstream-stable: released (6.1.76) [8a7729cda2dd276d7a3994638038fb89035b6f2c]
+5.10-upstream-stable: needed
+4.19-upstream-stable: needed
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2023-52615 b/active/CVE-2023-52615
new file mode 100644
index 00000000..b25db1ea
--- /dev/null
+++ b/active/CVE-2023-52615
@@ -0,0 +1,16 @@
+Description: hwrng: core - Fix page fault dead lock on mmap-ed hwrng
+References:
+Notes:
+ carnil> Introduced in 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte
+ carnil> array"). Vulnerable versions: 2.6.33-rc1.
+Bugs:
+upstream: released (6.8-rc1) [78aafb3884f6bc6636efcc1760c891c8500b9922]
+6.7-upstream-stable: released (6.7.3) [6822a14271786150e178869f1495cc03e74c5029]
+6.6-upstream-stable: released (6.6.15) [ecabe8cd456d3bf81e92c53b074732f3140f170d]
+6.1-upstream-stable: released (6.1.76) [aa8aa16ed9adf1df05bb339d588cf485a011839e]
+5.10-upstream-stable: released (5.10.210) [c6a8111aacbfe7a8a70f46cc0de8eed00561693c]
+4.19-upstream-stable: released (4.19.307) [eafd83b92f6c044007a3591cbd476bcf90455990]
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2023-52616 b/active/CVE-2023-52616
new file mode 100644
index 00000000..2cf3a418
--- /dev/null
+++ b/active/CVE-2023-52616
@@ -0,0 +1,16 @@
+Description: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
+References:
+Notes:
+ carnil> Introduced in d58bb7e55a8a ("lib/mpi: Introduce ec implementation to MPI
+ carnil> library"). Vulnerable versions: 5.10-rc1.
+Bugs:
+upstream: released (6.8-rc1) [ba3c5574203034781ac4231acf117da917efcd2a]
+6.7-upstream-stable: released (6.7.3) [7abdfd45a650c714d5ebab564bb1b988f14d9b49]
+6.6-upstream-stable: released (6.6.15) [7ebf812b7019fd2d4d5a7ca45ef4bf3a6f4bda0a]
+6.1-upstream-stable: released (6.1.79) [bb44477d4506e52785693a39f03cdc6a2c5e8598]
+5.10-upstream-stable: released (5.10.210) [0c3687822259a7628c85cd21a3445cbe3c367165]
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2023-52617 b/active/CVE-2023-52617
new file mode 100644
index 00000000..dfcb481d
--- /dev/null
+++ b/active/CVE-2023-52617
@@ -0,0 +1,15 @@
+Description: PCI: switchtec: Fix stdev_release() crash after surprise hot remove
+References:
+Notes:
+ carnil> First introducing commit could not be determined.
+Bugs:
+upstream: released (6.8-rc1) [df25461119d987b8c81d232cfe4411e91dcabe66]
+6.7-upstream-stable: released (6.7.4) [e129c7fa7070fbce57feb0bfc5eaa65eef44b693]
+6.6-upstream-stable: released (6.6.16) [0233b836312e39a3c763fb53512b3fa455b473b3]
+6.1-upstream-stable: released (6.1.77) [1d83c85922647758c1f1e4806a4c5c3cf591a20a]
+5.10-upstream-stable: released (5.10.210) [4a5d0528cf19dbf060313dffbe047bc11c90c24c]
+4.19-upstream-stable: needed
+sid: released (6.7.7-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2023-52618 b/active/CVE-2023-52618
new file mode 100644
index 00000000..8754cfc4
--- /dev/null
+++ b/active/CVE-2023-52618
@@ -0,0 +1,15 @@
+Description: block/rnbd-srv: Check for unlikely string overflow
+References:
+Notes:
+ carnil> First introducing commit could not be determined.
+Bugs:
+upstream: released (6.8-rc1) [9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41]
+6.7-upstream-stable: released (6.7.4) [a2c6206f18104fba7f887bf4dbbfe4c41adc4339]
+6.6-upstream-stable: released (6.6.16) [5b9ea86e662035a886ccb5c76d56793cba618827]
+6.1-upstream-stable: released (6.1.77) [af7bbdac89739e2e7380387fda598848d3b7010f]
+5.10-upstream-stable: released (5.10.210) [95bc866c11974d3e4a9d922275ea8127ff809cf7]
+4.19-upstream-stable: needed
+sid: released (6.7.7-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2023-52619 b/active/CVE-2023-52619
new file mode 100644
index 00000000..2ddf43d3
--- /dev/null
+++ b/active/CVE-2023-52619
@@ -0,0 +1,15 @@
+Description: pstore/ram: Fix crash when setting number of cpus to an odd number
+References:
+Notes:
+ carnil> First introducing commit could not be determined.
+Bugs:
+upstream: released (6.8-rc1) [d49270a04623ce3c0afddbf3e984cb245aa48e9c]
+6.7-upstream-stable: released (6.7.4) [cd40e43f870cf21726b22487a95ed223790b3542]
+6.6-upstream-stable: released (6.6.16) [0593cfd321df9001142a9d2c58d4144917dff7ee]
+6.1-upstream-stable: released (6.1.77) [75b0f71b26b3ad833c5c0670109c0af6e021e86a]
+5.10-upstream-stable: released (5.10.210) [a63e48cd835c34c38ef671d344cc029b1ea5bf10]
+4.19-upstream-stable: released (4.19.307) [8b69c30f4e8b69131d92096cb296dc1f217101e4]
+sid: released (6.7.7-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26631 b/active/CVE-2024-26631
new file mode 100644
index 00000000..c0c6aea8
--- /dev/null
+++ b/active/CVE-2024-26631
@@ -0,0 +1,16 @@
+Description: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
+References:
+Notes:
+ carnil> Introduced in 2d9a93b4902b ("mld: convert from timer to delayed work").
+ carnil> Vulnerable versions: 5.13-rc1.
+Bugs:
+upstream: released (6.8-rc1) [2e7ef287f07c74985f1bf2858bedc62bd9ebf155]
+6.7-upstream-stable: released (6.7.2) [3bb5849675ae1d592929798a2b37ea450879c855]
+6.6-upstream-stable: released (6.6.14) [3cc283fd16fba72e2cefe3a6f48d7a36b0438900]
+6.1-upstream-stable: released (6.1.75) [380540bb06bb1d1b12bdc947d1b8f56cda6b5663]
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-26632 b/active/CVE-2024-26632
new file mode 100644
index 00000000..7bbc26c5
--- /dev/null
+++ b/active/CVE-2024-26632
@@ -0,0 +1,16 @@
+Description: block: Fix iterating over an empty bio with bio_for_each_folio_all
+References:
+Notes:
+ carnil> Introduced in 640d1930bef4 ("block: Add bio_for_each_folio_all()"). Vulnerable
+ carnil> versions: 5.17-rc1.
+Bugs:
+upstream: released (6.8-rc1) [7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7]
+6.7-upstream-stable: released (6.7.2) [ca3ede3f5893e2d26d4dbdef1eec28a8487fafde]
+6.6-upstream-stable: released (6.6.14) [a6bd8182137a12d22d3f2cee463271bdcb491659]
+6.1-upstream-stable: released (6.1.75) [c6350b5cb78e9024c49eaee6fdb914ad2903a5fe]
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-26633 b/active/CVE-2024-26633
new file mode 100644
index 00000000..fe33d7a5
--- /dev/null
+++ b/active/CVE-2024-26633
@@ -0,0 +1,17 @@
+Description: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
+References:
+Notes:
+ carnil> Introduced in fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()").
+ carnil> Vulnerable versions: 3.2.87 3.10.106 3.12.71 3.16.42 3.18.49 4.4.50 4.9.11
+ carnil> 4.10-rc6.
+Bugs:
+upstream: released (6.8-rc1) [d375b98e0248980681e5e56b712026174d617198]
+6.7-upstream-stable: released (6.7.2) [ba8d904c274268b18ef3dc11d3ca7b24a96cb087]
+6.6-upstream-stable: released (6.6.14) [687c5d52fe53e602e76826dbd4d7af412747e183]
+6.1-upstream-stable: released (6.1.75) [62a1fedeb14c7ac0947ef33fadbabd35ed2400a2]
+5.10-upstream-stable: released (5.10.209) [da23bd709b46168f7dfc36055801011222b076cd]
+4.19-upstream-stable: released (4.19.306) [135414f300c5db995e2a2f3bf0f455de9d014aee]
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: released (5.10.209-1)
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26634 b/active/CVE-2024-26634
new file mode 100644
index 00000000..cfd29950
--- /dev/null
+++ b/active/CVE-2024-26634
@@ -0,0 +1,16 @@
+Description: net: fix removing a namespace with conflicting altnames
+References:
+Notes:
+ carnil> Introduced in 7663d522099e ("net: check for altname conflicts when changing
+ carnil> netdev's netns"). Vulnerable versions: 6.1.60 6.5.9 6.6-rc7.
+Bugs:
+upstream: released (6.8-rc2) [d09486a04f5da0a812c26217213b89a3b1acf836]
+6.7-upstream-stable: released (6.7.3) [8072699aa9e67d1727692cfb3c347263bb627fb9]
+6.6-upstream-stable: released (6.6.15) [e855dded4b70d1975ee7b9fed0c700391e3c8ea6]
+6.1-upstream-stable: released (6.1.76) [a2232f29bf52c24f827865b3c90829c44b6c695b]
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-26635 b/active/CVE-2024-26635
new file mode 100644
index 00000000..f96c9602
--- /dev/null
+++ b/active/CVE-2024-26635
@@ -0,0 +1,16 @@
+Description: llc: Drop support for ETH_P_TR_802_2.
+References:
+Notes:
+ carnil> Introduced in 211ed865108e ("net: delete all instances of special processing
+ carnil> for token ring"). Vulnerable versions: 3.5-rc1.
+Bugs:
+upstream: released (6.8-rc2) [e3f9bed9bee261e3347131764e42aeedf1ffea61]
+6.7-upstream-stable: released (6.7.3) [df57fc2f2abf548aa889a36ab0bdcc94a75399dc]
+6.6-upstream-stable: released (6.6.15) [f1f34a515fb1e25e85dee94f781e7869ae351fb8]
+6.1-upstream-stable: released (6.1.76) [660c3053d992b68fee893a0e9ec9159228cffdc6]
+5.10-upstream-stable: released (5.10.210) [9ccdef19cf9497c2803b005369668feb91cacdfd]
+4.19-upstream-stable: released (4.19.307) [165ad1e22779685c3ed3dd349c6c4c632309cc62]
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26636 b/active/CVE-2024-26636
new file mode 100644
index 00000000..a7f69f71
--- /dev/null
+++ b/active/CVE-2024-26636
@@ -0,0 +1,16 @@
+Description: llc: make llc_ui_sendmsg() more robust against bonding changes
+References:
+Notes:
+ carnil> Introduced in 1da177e4c3f4 ("Linux-2.6.12-rc2"). Vulnerable versions:
+ carnil> 2.6.12-rc2^0.
+Bugs:
+upstream: released (6.8-rc2) [dad555c816a50c6a6a8a86be1f9177673918c647]
+6.7-upstream-stable: released (6.7.3) [c451c008f563d56d5e676c9dcafae565fcad84bb]
+6.6-upstream-stable: released (6.6.15) [cafd3ad3fe03ef4d6632747be9ee15dc0029db4b]
+6.1-upstream-stable: released (6.1.76) [6d53b813ff8b177f86f149c2f744442681f720e4]
+5.10-upstream-stable: released (5.10.210) [04f2a74b562f3a7498be0399309669f342793d8c]
+4.19-upstream-stable: released (4.19.307) [84e9d10419f6f4f3f3cd8f9aaf44a48719aa4b1b]
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26637 b/active/CVE-2024-26637
new file mode 100644
index 00000000..2549f401
--- /dev/null
+++ b/active/CVE-2024-26637
@@ -0,0 +1,16 @@
+Description: wifi: ath11k: rely on mac80211 debugfs handling for vif
+References:
+Notes:
+ carnil> Introduced in 0a3d898ee9a8 ("wifi: mac80211: add/remove driver debugfs entries
+ carnil> as appropriate"). Vulnerable versions: 6.7.
+Bugs:
+upstream: released (6.8-rc2) [556857aa1d0855aba02b1c63bc52b91ec63fc2cc]
+6.7-upstream-stable: released (6.7.3) [aa74ce30a8a40d19a4256de4ae5322e71344a274]
+6.6-upstream-stable: N/A "Vulnerable code not present"
+6.1-upstream-stable: N/A "Vulnerable code not present"
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: N/A "Vulnerable code not present"
+6.1-bookworm-security: N/A "Vulnerable code not present"
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-26638 b/active/CVE-2024-26638
new file mode 100644
index 00000000..f4c823c6
--- /dev/null
+++ b/active/CVE-2024-26638
@@ -0,0 +1,16 @@
+Description: nbd: always initialize struct msghdr completely
+References:
+Notes:
+ carnil> Introduced in f94fd25cb0aa ("tcp: pass back data left in socket after
+ carnil> receive"). Vulnerable versions: 5.19-rc1.
+Bugs:
+upstream: released (6.8-rc1) [78fbb92af27d0982634116c7a31065f24d092826]
+6.7-upstream-stable: released (6.7.3) [b0028f333420a65a53a63978522db680b37379dd]
+6.6-upstream-stable: released (6.6.15) [1960f2b534da1e6c65fb96f9e98bda773495f406]
+6.1-upstream-stable: released (6.1.76) [d9c54763e5cdbbd3f81868597fe8aca3c96e6387]
+5.10-upstream-stable: N/A "Vulnerable code not present"
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.6.15-1)
+6.1-bookworm-security: released (6.1.76-1)
+5.10-bullseye-security: N/A "Vulnerable code not present"
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-26639 b/active/CVE-2024-26639
new file mode 100644
index 00000000..6641b3e0
--- /dev/null
+++ b/active/CVE-2024-26639
@@ -0,0 +1,17 @@
+Description: mm, kmsan: fix infinite recursion due to RCU critical section
+References:
+Notes:
+ carnil> Introduced in 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing
+ carnil> memory_section->usage"). Vulnerable versions: 5.10.210 5.15.149 6.1.76 6.6.15
+ carnil> 6.7.3 6.8-rc1.
+Bugs:
+upstream: released (6.8-rc3) [f6564fce256a3944aa1bc76cb3c40e792d97c1eb]
+6.7-upstream-stable: released (6.7.4) [5a33420599fa0288792537e6872fd19cc8607ea6]
+6.6-upstream-stable: released (6.6.16) [6335c0cdb2ea0ea02c999e04d34fd84f69fb27ff]
+6.1-upstream-stable: released (6.1.77) [dc904345e3771aa01d0b8358b550802fdc6fe00b]
+5.10-upstream-stable: needed
+4.19-upstream-stable: N/A "Vulnerable code not present"
+sid: released (6.7.7-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: N/A "Vulnerable code not present"
diff --git a/active/CVE-2024-26640 b/active/CVE-2024-26640
new file mode 100644
index 00000000..0d04635c
--- /dev/null
+++ b/active/CVE-2024-26640
@@ -0,0 +1,16 @@
+Description: tcp: add sanity checks to rx zerocopy
+References:
+Notes:
+ carnil> Introduced in 93ab6cc69162 ("tcp: implement mmap() for zero copy receive").
+ carnil> Vulnerable versions: 4.18-rc1.
+Bugs:
+upstream: released (6.8-rc3) [577e4432f3ac810049cb7e6b71f4d96ec7c6e894]
+6.7-upstream-stable: released (6.7.4) [1b8adcc0e2c584fec778add7777fe28e20781e60]
+6.6-upstream-stable: released (6.6.16) [d15cc0f66884ef2bed28c7ccbb11c102aa3a0760]
+6.1-upstream-stable: released (6.1.77) [b383d4ea272fe5795877506dcce5aad1f6330e5e]
+5.10-upstream-stable: released (5.10.210) [f48bf9a83b1666d934247cb58a9887d7b3127b6f]
+4.19-upstream-stable: needed
+sid: released (6.7.7-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed
diff --git a/active/CVE-2024-26641 b/active/CVE-2024-26641
new file mode 100644
index 00000000..bfc28395
--- /dev/null
+++ b/active/CVE-2024-26641
@@ -0,0 +1,16 @@
+Description: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
+References:
+Notes:
+ carnil> Introduced in 0d3c703a9d17 ("ipv6: Cleanup IPv6 tunnel receive path").
+ carnil> Vulnerable versions: 4.7-rc1.
+Bugs:
+upstream: released (6.8-rc3) [8d975c15c0cd744000ca386247432d57b21f9df0]
+6.7-upstream-stable: released (6.7.4) [c835df3bcc14858ae9b27315dd7de76370b94f3a]
+6.6-upstream-stable: released (6.6.16) [350a6640fac4b53564ec20aa3f4a0922cb0ba5e6]
+6.1-upstream-stable: released (6.1.77) [d54e4da98bbfa8c257bdca94c49652d81d18a4d8]
+5.10-upstream-stable: released (5.10.210) [a9bc32879a08f23cdb80a48c738017e39aea1080]
+4.19-upstream-stable: needed
+sid: released (6.7.7-1)
+6.1-bookworm-security: needed
+5.10-bullseye-security: needed
+4.19-buster-security: needed