This Red Hat security advisory (RHSA-2024:10281) addresses four vulnerabilities in the Linux kernel 4.18.0 used in Red Hat Enterprise Linux 8 and related distributions. The fixes include: (1) a use-after-free vulnerability in the media DVB device driver (CVE-2024-27043), (2) a null pointer dereference in Bluetooth L2CAP channel timeout handling (CVE-2024-27399), (3) enforcement of the BPF_PROG_TYPE_CGROUP_SKB attach type in BPF_LINK_CREATE to prevent improper BPF program attachment (CVE-2024-38564), and (4) a use-after-free in multipath TCP timer deletion (CVE-2024-46858). The advisory rates the security impact as moderate and does not provide CVSS scores. The update is available for Red Hat Enterprise Linux 8 on multiple architectures including x86_64, s390x, ppc64le, and aarch64. Applying the update requires a system reboot. No known exploits in the wild have been reported at this time.

The vulnerabilities fixed in this advisory could lead to use-after-free conditions and null pointer dereferences within the Linux kernel, potentially causing system instability or crashes. The BPF attach type enforcement fix prevents improper BPF program attachments that could lead to unexpected behavior. While the advisory rates the overall impact as moderate, no known exploits in the wild have been reported. The issues affect core kernel components, which could impact system reliability and security if left unpatched.

Red Hat has released an official security update for the kernel 4.18.0 packages that addresses these vulnerabilities. Users of Red Hat Enterprise Linux 8 and related products should apply the update promptly. A system reboot is required for the update to take effect. For detailed update instructions, refer to the Red Hat advisory at https://access.redhat.com/articles/11258. No additional mitigations are indicated by the vendor advisory.