Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2024:4352
Vulnerability from osv_almalinux
Published
2024-07-08 00:00
Modified
2024-07-08 18:07
Summary
Important: kernel-rt security and bug fix update
Details
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583
- kernel-rt: kernel: PCI interrupt mapping cause oops [almalinux-8] (CVE-2021-46909)
- kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)
- kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)
- kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)
- kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)
- kernel: Squashfs: check the inode number is not the invalid value of zero (CVE-2024-26982)
- kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)
- kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)
- kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)
- kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)
- kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)
- kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)
- kernel: ovl: fix leaked dentry (CVE-2021-46972)
- kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)
- kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)
- kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)
- kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)
- kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)
- kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)
- kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)
- kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)
- kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)
- kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)
- kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)
- kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)
- kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)
- kernel: crypto: (CVE-2024-26974, CVE-2023-52813)
- kernel: can: (CVE-2023-52878, CVE-2021-47456)
- kernel: usb: (CVE-2023-52781, CVE-2023-52877)
- kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)
- kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)
- kernel: gro: fix ownership transfer (CVE-2024-35890)
- kernel: erspan: make sure erspan_base_hdr is present in skb->head (CVE-2024-35888)
- kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)
- kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)
- kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)
- kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)
- kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)
- kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)
- kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)
- kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)
Bug Fix(es):
- kernel-rt: update RT source tree to the latest AlmaLinux-8.10.z kernel (JIRA:AlmaLinux-40882)
- [almalinux8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:AlmaLinux-8779)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-kvm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-kvm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.8.1.rt7.349.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583\n* kernel-rt: kernel: PCI interrupt mapping cause oops [almalinux-8] (CVE-2021-46909)\n* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)\n* kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)\n* kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)\n* kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)\n* kernel: Squashfs: check the inode number is not the invalid value of zero (CVE-2024-26982)\n* kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)\n* kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)\n* kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)\n* kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)\n* kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)\n* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)\n* kernel: ovl: fix leaked dentry (CVE-2021-46972)\n* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)\n* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)\n* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)\n* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)\n* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)\n* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)\n* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)\n* kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)\n* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)\n* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)\n* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)\n* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)\n* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)\n* kernel: crypto: (CVE-2024-26974, CVE-2023-52813)\n* kernel: can: (CVE-2023-52878, CVE-2021-47456)\n* kernel: usb: (CVE-2023-52781, CVE-2023-52877)\n* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)\n* kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)\n* kernel: gro: fix ownership transfer (CVE-2024-35890)\n* kernel: erspan: make sure erspan_base_hdr is present in skb-\u0026gt;head (CVE-2024-35888)\n* kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)\n* kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)\n* kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)\n* kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)\n* kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)\n* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)\n* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)\n* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)\n\nBug Fix(es):\n\n* kernel-rt: update RT source tree to the latest AlmaLinux-8.10.z kernel (JIRA:AlmaLinux-40882)\n* [almalinux8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:AlmaLinux-8779)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2024:4352",
"modified": "2024-07-08T18:07:21Z",
"published": "2024-07-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:4352"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2020-26555"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-46909"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-46972"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47069"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47073"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47236"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47310"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47311"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47353"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47356"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47456"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2021-47495"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-5090"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52464"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52560"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52615"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52626"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52667"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52700"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52703"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52781"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52813"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52835"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52877"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52878"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52881"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26583"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26584"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26585"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26656"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26675"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26735"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26759"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26801"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26804"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26826"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26859"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26906"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26907"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26974"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26982"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-27397"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-27410"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35789"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35835"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35838"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35845"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35852"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35853"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35854"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35855"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35888"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35890"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35958"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35959"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35960"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-36004"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-36007"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/1918601"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2248122"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2258875"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2265517"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2265519"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2265520"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2265800"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2266408"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2266831"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2267513"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2267518"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2267730"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2270093"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2271680"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2272692"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2272829"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2273204"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2273278"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2273423"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2273429"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2275604"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2275633"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2275635"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2275733"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2278337"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2278354"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2280434"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281057"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281113"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281157"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281165"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281251"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281253"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281255"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281257"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281272"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281350"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281689"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281693"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281920"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281923"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281925"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281953"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281986"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282394"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282400"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282471"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282472"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282581"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282609"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282612"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282653"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282680"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282698"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282712"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282735"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282902"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2282920"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2024-4352.html"
}
],
"related": [
"CVE-2024-26585",
"CVE-2024-26584",
"CVE-2024-26583",
"CVE-2021-46909",
"CVE-2021-47069",
"CVE-2023-52615",
"CVE-2024-26656",
"CVE-2024-26801",
"CVE-2024-26982",
"CVE-2024-27397",
"CVE-2024-35789",
"CVE-2024-35838",
"CVE-2024-35845",
"CVE-2024-27410",
"CVE-2023-52835",
"CVE-2023-52881",
"CVE-2020-26555",
"CVE-2021-46972",
"CVE-2021-47073",
"CVE-2023-52560",
"CVE-2024-26675",
"CVE-2024-26759",
"CVE-2024-26907",
"CVE-2024-26906",
"CVE-2024-26804",
"CVE-2023-52703",
"CVE-2023-5090",
"CVE-2023-52464",
"CVE-2024-26735",
"CVE-2024-26826",
"CVE-2024-26859",
"CVE-2024-26974",
"CVE-2023-52813",
"CVE-2023-52878",
"CVE-2021-47456",
"CVE-2023-52781",
"CVE-2023-52877",
"CVE-2023-52667",
"CVE-2021-47495",
"CVE-2024-35890",
"CVE-2024-35888",
"CVE-2023-52700",
"CVE-2024-35960",
"CVE-2024-36007",
"CVE-2024-35855",
"CVE-2024-35959",
"CVE-2023-52626",
"CVE-2024-35835",
"CVE-2024-35854",
"CVE-2024-35853",
"CVE-2024-35852",
"CVE-2024-35958",
"CVE-2021-47311",
"CVE-2021-47236",
"CVE-2021-47310",
"CVE-2024-36004",
"CVE-2021-47356",
"CVE-2021-47353"
],
"summary": "Important: kernel-rt security and bug fix update"
}
CVE-2021-47356 (GCVE-0-2021-47356)
Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2025-12-18 11:37
VLAI?
EPSS
Title
mISDN: fix possible use-after-free in HFC_cleanup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: fix possible use-after-free in HFC_cleanup()
This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.
Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.
Severity ?
7.7 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 49331c07ef0f8fdfa42b30ba6a83a657b29d7fbe
(git)
Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 54ff3202928952a100c477248e65ac6db01258a7 (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 7867ddc5f3de7f289aee63233afc0df4b62834c5 (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 5f2818185da0fe82a932f0856633038b66faf124 (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 3ecd228c636ee17c14662729737fa07242a93cb0 (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < b7ee9ae1e0cf55a037c4a99af2acc5d78cb7802d (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 61370ff07e0acc657559a8fac02551dfeb9d3020 (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < ed7c3739d0a07e2ec3ccbffe7e93cea01c438cda (git) Affected: 87c5fa1bb42624254a2013cbbc3b170d6017f5d6 , < 009fc857c5f6fda81f2f7dd851b2d54193a8e733 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "49331c07ef0f",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "54ff32029289",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "7867ddc5f3de",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5f2818185da0",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "3ecd228c636e",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "b7ee9ae1e0cf",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "61370ff07e0a",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "ed7c3739d0a0",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "009fc857c5f6",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.276",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.276",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.240",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.198",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.133",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.51",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.18",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.13.*",
"status": "unaffected",
"version": "5.13.3",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.14"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47356",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T21:04:48.759363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:05:18.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:32:08.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/49331c07ef0f8fdfa42b30ba6a83a657b29d7fbe"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/54ff3202928952a100c477248e65ac6db01258a7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7867ddc5f3de7f289aee63233afc0df4b62834c5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5f2818185da0fe82a932f0856633038b66faf124"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ecd228c636ee17c14662729737fa07242a93cb0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b7ee9ae1e0cf55a037c4a99af2acc5d78cb7802d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/61370ff07e0acc657559a8fac02551dfeb9d3020"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ed7c3739d0a07e2ec3ccbffe7e93cea01c438cda"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/009fc857c5f6fda81f2f7dd851b2d54193a8e733"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcpci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49331c07ef0f8fdfa42b30ba6a83a657b29d7fbe",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "54ff3202928952a100c477248e65ac6db01258a7",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "7867ddc5f3de7f289aee63233afc0df4b62834c5",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "5f2818185da0fe82a932f0856633038b66faf124",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "3ecd228c636ee17c14662729737fa07242a93cb0",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "b7ee9ae1e0cf55a037c4a99af2acc5d78cb7802d",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "61370ff07e0acc657559a8fac02551dfeb9d3020",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "ed7c3739d0a07e2ec3ccbffe7e93cea01c438cda",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "009fc857c5f6fda81f2f7dd851b2d54193a8e733",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcpci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.13.*",
"status": "unaffected",
"version": "5.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.276",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.276",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.240",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.198",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.133",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.51",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.14",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: fix possible use-after-free in HFC_cleanup()\n\nThis module\u0027s remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver\u0027s remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T11:37:10.140Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49331c07ef0f8fdfa42b30ba6a83a657b29d7fbe"
},
{
"url": "https://git.kernel.org/stable/c/54ff3202928952a100c477248e65ac6db01258a7"
},
{
"url": "https://git.kernel.org/stable/c/7867ddc5f3de7f289aee63233afc0df4b62834c5"
},
{
"url": "https://git.kernel.org/stable/c/5f2818185da0fe82a932f0856633038b66faf124"
},
{
"url": "https://git.kernel.org/stable/c/3ecd228c636ee17c14662729737fa07242a93cb0"
},
{
"url": "https://git.kernel.org/stable/c/b7ee9ae1e0cf55a037c4a99af2acc5d78cb7802d"
},
{
"url": "https://git.kernel.org/stable/c/61370ff07e0acc657559a8fac02551dfeb9d3020"
},
{
"url": "https://git.kernel.org/stable/c/ed7c3739d0a07e2ec3ccbffe7e93cea01c438cda"
},
{
"url": "https://git.kernel.org/stable/c/009fc857c5f6fda81f2f7dd851b2d54193a8e733"
}
],
"title": "mISDN: fix possible use-after-free in HFC_cleanup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47356",
"datePublished": "2024-05-21T14:35:59.097Z",
"dateReserved": "2024-05-21T14:28:16.987Z",
"dateUpdated": "2025-12-18T11:37:10.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47069 (GCVE-0-2021-47069)
Vulnerability from cvelistv5 – Published: 2024-03-01 21:15 – Updated: 2025-05-04 07:03
VLAI?
EPSS
Title
ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry
do_mq_timedreceive calls wq_sleep with a stack local address. The
sender (do_mq_timedsend) uses this address to later call pipelined_send.
This leads to a very hard to trigger race where a do_mq_timedreceive
call might return and leave do_mq_timedsend to rely on an invalid
address, causing the following crash:
RIP: 0010:wake_q_add_safe+0x13/0x60
Call Trace:
__x64_sys_mq_timedsend+0x2a9/0x490
do_syscall_64+0x80/0x680
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5928e40343
The race occurs as:
1. do_mq_timedreceive calls wq_sleep with the address of `struct
ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it
holds a valid `struct ext_wait_queue *` as long as the stack has not
been overwritten.
2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and
do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call
__pipelined_op.
3. Sender calls __pipelined_op::smp_store_release(&this->state,
STATE_READY). Here is where the race window begins. (`this` is
`ewq_addr`.)
4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it
will see `state == STATE_READY` and break.
5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed
to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's
stack. (Although the address may not get overwritten until another
function happens to touch it, which means it can persist around for an
indefinite time.)
6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a
`struct ext_wait_queue *`, and uses it to find a task_struct to pass to
the wake_q_add_safe call. In the lucky case where nothing has
overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct.
In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a
bogus address as the receiver's task_struct causing the crash.
do_mq_timedsend::__pipelined_op() should not dereference `this` after
setting STATE_READY, as the receiver counterpart is now free to return.
Change __pipelined_op to call wake_q_add_safe on the receiver's
task_struct returned by get_task_struct, instead of dereferencing `this`
which sits on the receiver's stack.
As Manfred pointed out, the race potentially also exists in
ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix
those in the same way.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04 , < 4528c0c323085e645b8765913b4a7fd42cf49b65
(git)
Affected: c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04 , < 807fa14536b26803b858da878b643be72952a097 (git) Affected: c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04 , < a11ddb37bf367e6b5239b95ca759e5389bb46048 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T16:15:09.996738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T16:15:20.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:24:39.653Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4528c0c323085e645b8765913b4a7fd42cf49b65"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/807fa14536b26803b858da878b643be72952a097"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a11ddb37bf367e6b5239b95ca759e5389bb46048"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"ipc/mqueue.c",
"ipc/msg.c",
"ipc/sem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4528c0c323085e645b8765913b4a7fd42cf49b65",
"status": "affected",
"version": "c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04",
"versionType": "git"
},
{
"lessThan": "807fa14536b26803b858da878b643be72952a097",
"status": "affected",
"version": "c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04",
"versionType": "git"
},
{
"lessThan": "a11ddb37bf367e6b5239b95ca759e5389bb46048",
"status": "affected",
"version": "c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"ipc/mqueue.c",
"ipc/msg.c",
"ipc/sem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.40",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry\n\ndo_mq_timedreceive calls wq_sleep with a stack local address. The\nsender (do_mq_timedsend) uses this address to later call pipelined_send.\n\nThis leads to a very hard to trigger race where a do_mq_timedreceive\ncall might return and leave do_mq_timedsend to rely on an invalid\naddress, causing the following crash:\n\n RIP: 0010:wake_q_add_safe+0x13/0x60\n Call Trace:\n __x64_sys_mq_timedsend+0x2a9/0x490\n do_syscall_64+0x80/0x680\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n RIP: 0033:0x7f5928e40343\n\nThe race occurs as:\n\n1. do_mq_timedreceive calls wq_sleep with the address of `struct\n ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it\n holds a valid `struct ext_wait_queue *` as long as the stack has not\n been overwritten.\n\n2. `ewq_addr` gets added to info-\u003ee_wait_q[RECV].list in wq_add, and\n do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call\n __pipelined_op.\n\n3. Sender calls __pipelined_op::smp_store_release(\u0026this-\u003estate,\n STATE_READY). Here is where the race window begins. (`this` is\n `ewq_addr`.)\n\n4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it\n will see `state == STATE_READY` and break.\n\n5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed\n to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive\u0027s\n stack. (Although the address may not get overwritten until another\n function happens to touch it, which means it can persist around for an\n indefinite time.)\n\n6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a\n `struct ext_wait_queue *`, and uses it to find a task_struct to pass to\n the wake_q_add_safe call. In the lucky case where nothing has\n overwritten `ewq_addr` yet, `ewq_addr-\u003etask` is the right task_struct.\n In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a\n bogus address as the receiver\u0027s task_struct causing the crash.\n\ndo_mq_timedsend::__pipelined_op() should not dereference `this` after\nsetting STATE_READY, as the receiver counterpart is now free to return.\nChange __pipelined_op to call wake_q_add_safe on the receiver\u0027s\ntask_struct returned by get_task_struct, instead of dereferencing `this`\nwhich sits on the receiver\u0027s stack.\n\nAs Manfred pointed out, the race potentially also exists in\nipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix\nthose in the same way."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:03:33.104Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4528c0c323085e645b8765913b4a7fd42cf49b65"
},
{
"url": "https://git.kernel.org/stable/c/807fa14536b26803b858da878b643be72952a097"
},
{
"url": "https://git.kernel.org/stable/c/a11ddb37bf367e6b5239b95ca759e5389bb46048"
}
],
"title": "ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47069",
"datePublished": "2024-03-01T21:15:08.598Z",
"dateReserved": "2024-02-29T22:33:44.296Z",
"dateUpdated": "2025-05-04T07:03:33.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35854 (GCVE-0-2024-35854)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:47 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
The rehash delayed work migrates filters from one region to another
according to the number of available credits.
The migrated from region is destroyed at the end of the work if the
number of credits is non-negative as the assumption is that this is
indicative of migration being complete. This assumption is incorrect as
a non-negative number of credits can also be the result of a failed
migration.
The destruction of a region that still has filters referencing it can
result in a use-after-free [1].
Fix by not destroying the region if migration failed.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858
CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5
Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
Call Trace:
<TASK>
dump_stack_lvl+0xc6/0x120
print_report+0xce/0x670
kasan_report+0xd7/0x110
mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70
mlxsw_sp_acl_atcam_entry_del+0x81/0x210
mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50
mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
process_one_work+0x8eb/0x19b0
worker_thread+0x6c9/0xf70
kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 174:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
__kmalloc+0x19c/0x360
mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0
mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300
process_one_work+0x8eb/0x19b0
worker_thread+0x6c9/0xf70
kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80
ret_from_fork_asm+0x1a/0x30
Freed by task 7:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
poison_slab_object+0x102/0x170
__kasan_slab_free+0x14/0x30
kfree+0xc1/0x290
mlxsw_sp_acl_tcam_region_destroy+0x272/0x310
mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300
process_one_work+0x8eb/0x19b0
worker_thread+0x6c9/0xf70
kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80
ret_from_fork_asm+0x1a/0x30
Severity ?
8.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c9c9af91f1d9a636aecc55302c792538e549a430 , < e118e7ea24d1392878ef85926627c6bc640c4388
(git)
Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < a429a912d6c779807f4d72a6cc0a1efaaa3613e1 (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 4c89642ca47fb620914780c7c51d8d1248201121 (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 813e2ab753a8f8c243a39ede20c2e0adc15f3887 (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < a02687044e124f8ccb427cd3632124a4e1a7d7c1 (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 54225988889931467a9b55fdbef534079b665519 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "c9c9af91f1d9"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "5.1"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "0"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.4.275"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.10.216"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.15.158"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.1.90"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.6.30"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.8.9"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.9"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T16:58:28.959142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:17:40.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:47.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e118e7ea24d1392878ef85926627c6bc640c4388",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "a429a912d6c779807f4d72a6cc0a1efaaa3613e1",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "4c89642ca47fb620914780c7c51d8d1248201121",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "813e2ab753a8f8c243a39ede20c2e0adc15f3887",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "311eeaa7b9e26aba5b3d57b09859f07d8e9fc049",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "a02687044e124f8ccb427cd3632124a4e1a7d7c1",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "54225988889931467a9b55fdbef534079b665519",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.158",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.90",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.9",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:54.144Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388"
},
{
"url": "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1"
},
{
"url": "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121"
},
{
"url": "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887"
},
{
"url": "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049"
},
{
"url": "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1"
},
{
"url": "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519"
}
],
"title": "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35854",
"datePublished": "2024-05-17T14:47:30.775Z",
"dateReserved": "2024-05-17T13:50:33.106Z",
"dateUpdated": "2025-05-04T09:06:54.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47456 (GCVE-0-2021-47456)
Vulnerability from cvelistv5 – Published: 2024-05-22 06:19 – Updated: 2025-05-04 07:11
VLAI?
EPSS
Title
can: peak_pci: peak_pci_remove(): fix UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: peak_pci: peak_pci_remove(): fix UAF
When remove the module peek_pci, referencing 'chan' again after
releasing 'dev' will cause UAF.
Fix this by releasing 'dev' later.
The following log reveals it:
[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]
[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537
[ 35.965513 ] Call Trace:
[ 35.965718 ] dump_stack_lvl+0xa8/0xd1
[ 35.966028 ] print_address_description+0x87/0x3b0
[ 35.966420 ] kasan_report+0x172/0x1c0
[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170
[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]
[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20
[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci]
[ 35.968752 ] pci_device_remove+0xa9/0x250
Severity ?
8.4 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 1c616528ba4aeb1125a06b407572ab7b56acae38
(git)
Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 447d44cd2f67a20b596ede3ca3cd67086dfd9ca9 (git) Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 34914971bb3244db4ce2be44e9438a9b30c56250 (git) Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < adbda14730aacce41c0d3596415aa39ad63eafd9 (git) Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 1248582e47a9f7ce0ecd156c39fc61f8b6aa3699 (git) Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 28f28e4bc3a5e0051faa963f10b778ab38c1db69 (git) Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 0e5afdc2315b0737edcf55bede4ee1640d2d464d (git) Affected: e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd , < 949fe9b35570361bc6ee2652f89a0561b26eec98 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "e6d9c80b7ca1"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "3.4"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "0"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "4.4.290"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "4.9.288"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "4.14.253"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "4.19.214"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.4.156"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.10.76"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.14.15"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.15"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:47:53.013850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-467",
"description": "CWE-467 Use of sizeof() on a Pointer Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:15:08.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:39:59.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1c616528ba4aeb1125a06b407572ab7b56acae38"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/447d44cd2f67a20b596ede3ca3cd67086dfd9ca9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/34914971bb3244db4ce2be44e9438a9b30c56250"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/adbda14730aacce41c0d3596415aa39ad63eafd9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1248582e47a9f7ce0ecd156c39fc61f8b6aa3699"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/28f28e4bc3a5e0051faa963f10b778ab38c1db69"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0e5afdc2315b0737edcf55bede4ee1640d2d464d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/949fe9b35570361bc6ee2652f89a0561b26eec98"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sja1000/peak_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c616528ba4aeb1125a06b407572ab7b56acae38",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "447d44cd2f67a20b596ede3ca3cd67086dfd9ca9",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "34914971bb3244db4ce2be44e9438a9b30c56250",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "adbda14730aacce41c0d3596415aa39ad63eafd9",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "1248582e47a9f7ce0ecd156c39fc61f8b6aa3699",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "28f28e4bc3a5e0051faa963f10b778ab38c1db69",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "0e5afdc2315b0737edcf55bede4ee1640d2d464d",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
},
{
"lessThan": "949fe9b35570361bc6ee2652f89a0561b26eec98",
"status": "affected",
"version": "e6d9c80b7ca1504411ad6d7acdb8683e4ae1c9cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/sja1000/peak_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.288",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.14.*",
"status": "unaffected",
"version": "5.14.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.290",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.288",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.253",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.214",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.156",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.76",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.14.15",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: peak_pci: peak_pci_remove(): fix UAF\n\nWhen remove the module peek_pci, referencing \u0027chan\u0027 again after\nreleasing \u0027dev\u0027 will cause UAF.\n\nFix this by releasing \u0027dev\u0027 later.\n\nThe following log reveals it:\n\n[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537\n[ 35.965513 ] Call Trace:\n[ 35.965718 ] dump_stack_lvl+0xa8/0xd1\n[ 35.966028 ] print_address_description+0x87/0x3b0\n[ 35.966420 ] kasan_report+0x172/0x1c0\n[ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170\n[ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.967945 ] __asan_report_load8_noabort+0x14/0x20\n[ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci]\n[ 35.968752 ] pci_device_remove+0xa9/0x250"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:11:19.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c616528ba4aeb1125a06b407572ab7b56acae38"
},
{
"url": "https://git.kernel.org/stable/c/447d44cd2f67a20b596ede3ca3cd67086dfd9ca9"
},
{
"url": "https://git.kernel.org/stable/c/34914971bb3244db4ce2be44e9438a9b30c56250"
},
{
"url": "https://git.kernel.org/stable/c/adbda14730aacce41c0d3596415aa39ad63eafd9"
},
{
"url": "https://git.kernel.org/stable/c/1248582e47a9f7ce0ecd156c39fc61f8b6aa3699"
},
{
"url": "https://git.kernel.org/stable/c/28f28e4bc3a5e0051faa963f10b778ab38c1db69"
},
{
"url": "https://git.kernel.org/stable/c/0e5afdc2315b0737edcf55bede4ee1640d2d464d"
},
{
"url": "https://git.kernel.org/stable/c/949fe9b35570361bc6ee2652f89a0561b26eec98"
}
],
"title": "can: peak_pci: peak_pci_remove(): fix UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47456",
"datePublished": "2024-05-22T06:19:45.363Z",
"dateReserved": "2024-05-21T14:58:30.833Z",
"dateUpdated": "2025-05-04T07:11:19.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26907 (GCVE-0-2024-26907)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2026-01-05 10:34
VLAI?
EPSS
Title
RDMA/mlx5: Fix fortify source warning while accessing Eth segment
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix fortify source warning while accessing Eth segment
------------[ cut here ]------------
memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)
WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy
[last unloaded: mlx_compat(OE)]
CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7
RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8
R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80
FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0x72/0x90
? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
? __warn+0x8d/0x160
? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
? report_bug+0x1bb/0x1d0
? handle_bug+0x46/0x90
? exc_invalid_op+0x19/0x80
? asm_exc_invalid_op+0x1b/0x20
? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]
mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]
ipoib_send+0x2ec/0x770 [ib_ipoib]
ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]
dev_hard_start_xmit+0x8e/0x1e0
? validate_xmit_skb_list+0x4d/0x80
sch_direct_xmit+0x116/0x3a0
__dev_xmit_skb+0x1fd/0x580
__dev_queue_xmit+0x284/0x6b0
? _raw_spin_unlock_irq+0xe/0x50
? __flush_work.isra.0+0x20d/0x370
? push_pseudo_header+0x17/0x40 [ib_ipoib]
neigh_connected_output+0xcd/0x110
ip_finish_output2+0x179/0x480
? __smp_call_single_queue+0x61/0xa0
__ip_finish_output+0xc3/0x190
ip_finish_output+0x2e/0xf0
ip_output+0x78/0x110
? __pfx_ip_finish_output+0x10/0x10
ip_local_out+0x64/0x70
__ip_queue_xmit+0x18a/0x460
ip_queue_xmit+0x15/0x30
__tcp_transmit_skb+0x914/0x9c0
tcp_write_xmit+0x334/0x8d0
tcp_push_one+0x3c/0x60
tcp_sendmsg_locked+0x2e1/0xac0
tcp_sendmsg+0x2d/0x50
inet_sendmsg+0x43/0x90
sock_sendmsg+0x68/0x80
sock_write_iter+0x93/0x100
vfs_write+0x326/0x3c0
ksys_write+0xbd/0xf0
? do_syscall_64+0x69/0x90
__x64_sys_write+0x19/0x30
do_syscall_
---truncated---
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
34f4c9554d8b2a7d2deb9503e9373b598ee3279f , < d27c48dc309da72c3b46351a1205d89687272baa
(git)
Affected: 34f4c9554d8b2a7d2deb9503e9373b598ee3279f , < 60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d (git) Affected: 34f4c9554d8b2a7d2deb9503e9373b598ee3279f , < cad82f1671e41094acd3b9a60cd27d67a3c64a21 (git) Affected: 34f4c9554d8b2a7d2deb9503e9373b598ee3279f , < 9a624a5f95733bac4648ecadb320ca83aa9c08fd (git) Affected: 34f4c9554d8b2a7d2deb9503e9373b598ee3279f , < 185fa07000e0a81d54cf8c05414cebff14469a5c (git) Affected: 34f4c9554d8b2a7d2deb9503e9373b598ee3279f , < 4d5e86a56615cc387d21c629f9af8fb0e958d350 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d27c48dc309da72c3b46351a1205d89687272baa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cad82f1671e41094acd3b9a60cd27d67a3c64a21"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9a624a5f95733bac4648ecadb320ca83aa9c08fd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/185fa07000e0a81d54cf8c05414cebff14469a5c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4d5e86a56615cc387d21c629f9af8fb0e958d350"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "d27c48dc309d",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.11",
"status": "unaffected",
"version": "5.10.214",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.2",
"status": "unaffected",
"version": "6.183",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "unaffected",
"version": "6.623",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.8",
"status": "unaffected",
"version": "6.711",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.16",
"status": "unaffected",
"version": "5.15.153",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "60ba938a8bc8",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
},
{
"lessThanOrEqual": "cad82f1671e4",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
},
{
"lessThanOrEqual": "9a624a5f9573",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
},
{
"lessThanOrEqual": "185fa07000e0",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
},
{
"lessThanOrEqual": "4d5e86a56615",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T16:55:44.551098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:55:51.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/wr.c",
"include/linux/mlx5/qp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d27c48dc309da72c3b46351a1205d89687272baa",
"status": "affected",
"version": "34f4c9554d8b2a7d2deb9503e9373b598ee3279f",
"versionType": "git"
},
{
"lessThan": "60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d",
"status": "affected",
"version": "34f4c9554d8b2a7d2deb9503e9373b598ee3279f",
"versionType": "git"
},
{
"lessThan": "cad82f1671e41094acd3b9a60cd27d67a3c64a21",
"status": "affected",
"version": "34f4c9554d8b2a7d2deb9503e9373b598ee3279f",
"versionType": "git"
},
{
"lessThan": "9a624a5f95733bac4648ecadb320ca83aa9c08fd",
"status": "affected",
"version": "34f4c9554d8b2a7d2deb9503e9373b598ee3279f",
"versionType": "git"
},
{
"lessThan": "185fa07000e0a81d54cf8c05414cebff14469a5c",
"status": "affected",
"version": "34f4c9554d8b2a7d2deb9503e9373b598ee3279f",
"versionType": "git"
},
{
"lessThan": "4d5e86a56615cc387d21c629f9af8fb0e958d350",
"status": "affected",
"version": "34f4c9554d8b2a7d2deb9503e9373b598ee3279f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/wr.c",
"include/linux/mlx5/qp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\n\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg-\u003einline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da \u003c0f\u003e 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x72/0x90\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? __warn+0x8d/0x160\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? report_bug+0x1bb/0x1d0\n ? handle_bug+0x46/0x90\n ? exc_invalid_op+0x19/0x80\n ? asm_exc_invalid_op+0x1b/0x20\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n ipoib_send+0x2ec/0x770 [ib_ipoib]\n ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n dev_hard_start_xmit+0x8e/0x1e0\n ? validate_xmit_skb_list+0x4d/0x80\n sch_direct_xmit+0x116/0x3a0\n __dev_xmit_skb+0x1fd/0x580\n __dev_queue_xmit+0x284/0x6b0\n ? _raw_spin_unlock_irq+0xe/0x50\n ? __flush_work.isra.0+0x20d/0x370\n ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n neigh_connected_output+0xcd/0x110\n ip_finish_output2+0x179/0x480\n ? __smp_call_single_queue+0x61/0xa0\n __ip_finish_output+0xc3/0x190\n ip_finish_output+0x2e/0xf0\n ip_output+0x78/0x110\n ? __pfx_ip_finish_output+0x10/0x10\n ip_local_out+0x64/0x70\n __ip_queue_xmit+0x18a/0x460\n ip_queue_xmit+0x15/0x30\n __tcp_transmit_skb+0x914/0x9c0\n tcp_write_xmit+0x334/0x8d0\n tcp_push_one+0x3c/0x60\n tcp_sendmsg_locked+0x2e1/0xac0\n tcp_sendmsg+0x2d/0x50\n inet_sendmsg+0x43/0x90\n sock_sendmsg+0x68/0x80\n sock_write_iter+0x93/0x100\n vfs_write+0x326/0x3c0\n ksys_write+0xbd/0xf0\n ? do_syscall_64+0x69/0x90\n __x64_sys_write+0x19/0x30\n do_syscall_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:34:57.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d27c48dc309da72c3b46351a1205d89687272baa"
},
{
"url": "https://git.kernel.org/stable/c/60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d"
},
{
"url": "https://git.kernel.org/stable/c/cad82f1671e41094acd3b9a60cd27d67a3c64a21"
},
{
"url": "https://git.kernel.org/stable/c/9a624a5f95733bac4648ecadb320ca83aa9c08fd"
},
{
"url": "https://git.kernel.org/stable/c/185fa07000e0a81d54cf8c05414cebff14469a5c"
},
{
"url": "https://git.kernel.org/stable/c/4d5e86a56615cc387d21c629f9af8fb0e958d350"
}
],
"title": "RDMA/mlx5: Fix fortify source warning while accessing Eth segment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26907",
"datePublished": "2024-04-17T10:27:54.194Z",
"dateReserved": "2024-02-19T14:20:24.187Z",
"dateUpdated": "2026-01-05T10:34:57.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35845 (GCVE-0-2024-35845)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:40 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
wifi: iwlwifi: dbg-tlv: ensure NUL termination
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: dbg-tlv: ensure NUL termination
The iwl_fw_ini_debug_info_tlv is used as a string, so we must
ensure the string is terminated correctly before using it.
Severity ?
9.1 (Critical)
CWE
- CWE-134 - Use of Externally-Controlled Format String
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a9248de42464e546b624e3fc6a8b04b991af3591 , < fabe2db7de32a881e437ee69db32e0de785a6209
(git)
Affected: a9248de42464e546b624e3fc6a8b04b991af3591 , < 96aa40761673da045a7774f874487cdb50c6a2f7 (git) Affected: a9248de42464e546b624e3fc6a8b04b991af3591 , < c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a (git) Affected: a9248de42464e546b624e3fc6a8b04b991af3591 , < 783d413f332a3ebec916664b366c28f58147f82c (git) Affected: a9248de42464e546b624e3fc6a8b04b991af3591 , < fec14d1cdd92f340b9ba2bd220abf96f9609f2a9 (git) Affected: a9248de42464e546b624e3fc6a8b04b991af3591 , < 71d4186d470e9cda7cd1a0921b4afda737c6f641 (git) Affected: a9248de42464e546b624e3fc6a8b04b991af3591 , < ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "a9248de42464"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "5.5"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "0"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.10.214"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "5.15.153"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.1.83"
}
]
},
{
"cpes": [
"cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.6.23"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.7.11"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.8.2"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.9"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T17:22:01.418573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:19:05.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fabe2db7de32a881e437ee69db32e0de785a6209",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
},
{
"lessThan": "96aa40761673da045a7774f874487cdb50c6a2f7",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
},
{
"lessThan": "c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
},
{
"lessThan": "783d413f332a3ebec916664b366c28f58147f82c",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
},
{
"lessThan": "fec14d1cdd92f340b9ba2bd220abf96f9609f2a9",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
},
{
"lessThan": "71d4186d470e9cda7cd1a0921b4afda737c6f641",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
},
{
"lessThan": "ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea",
"status": "affected",
"version": "a9248de42464e546b624e3fc6a8b04b991af3591",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\n\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:42.675Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209"
},
{
"url": "https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7"
},
{
"url": "https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a"
},
{
"url": "https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c"
},
{
"url": "https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9"
},
{
"url": "https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641"
},
{
"url": "https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea"
}
],
"title": "wifi: iwlwifi: dbg-tlv: ensure NUL termination",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35845",
"datePublished": "2024-05-17T14:40:12.134Z",
"dateReserved": "2024-05-17T13:50:33.105Z",
"dateUpdated": "2025-05-04T09:06:42.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52626 (GCVE-0-2023-52626)
Vulnerability from cvelistv5 – Published: 2024-03-26 17:49 – Updated: 2025-05-04 12:49
VLAI?
EPSS
Title
net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context
Indirection (*) is of lower precedence than postfix increment (++). Logic
in napi_poll context would cause an out-of-bound read by first increment
the pointer address by byte address space and then dereference the value.
Rather, the intended logic was to dereference first and then increment the
underlying value.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e5d30f7da35720060299483e65fc372980a82dfb , < 40e0d0746390c5b0c31144f4f1688d72f3f8d790
(git)
Affected: 92214be5979c0961a471b7eaaaeacab41bdf456c , < 33cdeae8c6fb58cc445f859b67c014dc9f60b4e0 (git) Affected: 92214be5979c0961a471b7eaaaeacab41bdf456c , < 3876638b2c7ebb2c9d181de1191db0de8cac143a (git) Affected: 42b11d1293e5a0f932c0b6e891b2c7bae57b839d (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:21.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/40e0d0746390c5b0c31144f4f1688d72f3f8d790"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/33cdeae8c6fb58cc445f859b67c014dc9f60b4e0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3876638b2c7ebb2c9d181de1191db0de8cac143a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:54:09.330337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:43.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40e0d0746390c5b0c31144f4f1688d72f3f8d790",
"status": "affected",
"version": "e5d30f7da35720060299483e65fc372980a82dfb",
"versionType": "git"
},
{
"lessThan": "33cdeae8c6fb58cc445f859b67c014dc9f60b4e0",
"status": "affected",
"version": "92214be5979c0961a471b7eaaaeacab41bdf456c",
"versionType": "git"
},
{
"lessThan": "3876638b2c7ebb2c9d181de1191db0de8cac143a",
"status": "affected",
"version": "92214be5979c0961a471b7eaaaeacab41bdf456c",
"versionType": "git"
},
{
"status": "affected",
"version": "42b11d1293e5a0f932c0b6e891b2c7bae57b839d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "6.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix operation precedence bug in port timestamping napi_poll context\n\nIndirection (*) is of lower precedence than postfix increment (++). Logic\nin napi_poll context would cause an out-of-bound read by first increment\nthe pointer address by byte address space and then dereference the value.\nRather, the intended logic was to dereference first and then increment the\nunderlying value."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:21.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40e0d0746390c5b0c31144f4f1688d72f3f8d790"
},
{
"url": "https://git.kernel.org/stable/c/33cdeae8c6fb58cc445f859b67c014dc9f60b4e0"
},
{
"url": "https://git.kernel.org/stable/c/3876638b2c7ebb2c9d181de1191db0de8cac143a"
}
],
"title": "net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52626",
"datePublished": "2024-03-26T17:49:59.220Z",
"dateReserved": "2024-03-06T09:52:12.090Z",
"dateUpdated": "2025-05-04T12:49:21.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35789 (GCVE-0-2024-35789)
Vulnerability from cvelistv5 – Published: 2024-05-17 12:24 – Updated: 2025-05-21 09:12
VLAI?
EPSS
Title
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
When moving a station out of a VLAN and deleting the VLAN afterwards, the
fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
after the VLAN change.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a7f1721684628b8ae6015bca9a176046ee6f30cc , < ea9a0cfc07a7d3601cc680718d9cff0d6927a921
(git)
Affected: bd7e90c82850f49c23004d54de14e46d373748a6 , < be1dd9254fc115321d6fbee042026d42afc8d931 (git) Affected: cc413b375c6d95e68a4629cb1ba9d099de78ebb9 , < e8b067c4058c0121ac8ca71559df8e2e08ff1a7e (git) Affected: dd0b45538146cb6a54d6da7663b8c3afd16ebcfd , < c8bddbd91bc8e42c961a5e2cec20ab879f21100f (git) Affected: dd0b45538146cb6a54d6da7663b8c3afd16ebcfd , < 7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b (git) Affected: dd0b45538146cb6a54d6da7663b8c3afd16ebcfd , < 6b948b54c8bd620725e0c906e44b10c0b13087a7 (git) Affected: dd0b45538146cb6a54d6da7663b8c3afd16ebcfd , < 2884a50f52313a7a911de3afcad065ddbb3d78fc (git) Affected: dd0b45538146cb6a54d6da7663b8c3afd16ebcfd , < e8678551c0243f799b4859448781cbec1bd6f1cb (git) Affected: dd0b45538146cb6a54d6da7663b8c3afd16ebcfd , < 4f2bdb3c5e3189297e156b3ff84b140423d64685 (git) Affected: 22bc2a4814440c4a8979a381f46fec5d224f5c11 (git) Affected: 7cfe824f681e1aaac34ea64bb4def8a77801b672 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T14:19:23.131138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:33:29.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:47.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea9a0cfc07a7d3601cc680718d9cff0d6927a921",
"status": "affected",
"version": "a7f1721684628b8ae6015bca9a176046ee6f30cc",
"versionType": "git"
},
{
"lessThan": "be1dd9254fc115321d6fbee042026d42afc8d931",
"status": "affected",
"version": "bd7e90c82850f49c23004d54de14e46d373748a6",
"versionType": "git"
},
{
"lessThan": "e8b067c4058c0121ac8ca71559df8e2e08ff1a7e",
"status": "affected",
"version": "cc413b375c6d95e68a4629cb1ba9d099de78ebb9",
"versionType": "git"
},
{
"lessThan": "c8bddbd91bc8e42c961a5e2cec20ab879f21100f",
"status": "affected",
"version": "dd0b45538146cb6a54d6da7663b8c3afd16ebcfd",
"versionType": "git"
},
{
"lessThan": "7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b",
"status": "affected",
"version": "dd0b45538146cb6a54d6da7663b8c3afd16ebcfd",
"versionType": "git"
},
{
"lessThan": "6b948b54c8bd620725e0c906e44b10c0b13087a7",
"status": "affected",
"version": "dd0b45538146cb6a54d6da7663b8c3afd16ebcfd",
"versionType": "git"
},
{
"lessThan": "2884a50f52313a7a911de3afcad065ddbb3d78fc",
"status": "affected",
"version": "dd0b45538146cb6a54d6da7663b8c3afd16ebcfd",
"versionType": "git"
},
{
"lessThan": "e8678551c0243f799b4859448781cbec1bd6f1cb",
"status": "affected",
"version": "dd0b45538146cb6a54d6da7663b8c3afd16ebcfd",
"versionType": "git"
},
{
"lessThan": "4f2bdb3c5e3189297e156b3ff84b140423d64685",
"status": "affected",
"version": "dd0b45538146cb6a54d6da7663b8c3afd16ebcfd",
"versionType": "git"
},
{
"status": "affected",
"version": "22bc2a4814440c4a8979a381f46fec5d224f5c11",
"versionType": "git"
},
{
"status": "affected",
"version": "7cfe824f681e1aaac34ea64bb4def8a77801b672",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "4.19.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "5.4.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "5.10.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN\u0027s netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T09:12:34.451Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921"
},
{
"url": "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931"
},
{
"url": "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e"
},
{
"url": "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f"
},
{
"url": "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b"
},
{
"url": "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7"
},
{
"url": "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc"
},
{
"url": "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb"
},
{
"url": "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685"
}
],
"title": "wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35789",
"datePublished": "2024-05-17T12:24:42.323Z",
"dateReserved": "2024-05-17T12:19:12.338Z",
"dateUpdated": "2025-05-21T09:12:34.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52560 (GCVE-0-2023-52560)
Vulnerability from cvelistv5 – Published: 2024-03-02 21:59 – Updated: 2025-05-04 07:38
VLAI?
EPSS
Title
mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()
When CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y
and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.
Since commit 9f86d624292c ("mm/damon/vaddr-test: remove unnecessary
variables"), the damon_destroy_ctx() is removed, but still call
damon_new_target() and damon_new_region(), the damon_region which is
allocated by kmem_cache_alloc() in damon_new_region() and the damon_target
which is allocated by kmalloc in damon_new_target() are not freed. And
the damon_region which is allocated in damon_new_region() in
damon_set_regions() is also not freed.
So use damon_destroy_target to free all the damon_regions and damon_target.
unreferenced object 0xffff888107c9a940 (size 64):
comm "kunit_try_catch", pid 1069, jiffies 4294670592 (age 732.761s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk
60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff `...............
backtrace:
[<ffffffff817e0167>] kmalloc_trace+0x27/0xa0
[<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0
[<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0
[<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffffffff81003791>] ret_from_fork_asm+0x11/0x20
unreferenced object 0xffff8881079cc740 (size 56):
comm "kunit_try_catch", pid 1069, jiffies 4294670592 (age 732.761s)
hex dump (first 32 bytes):
05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................
6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk
backtrace:
[<ffffffff819bc492>] damon_new_region+0x22/0x1c0
[<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0
[<ffffffff819c82be>] damon_test_apply_three_regions1+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffffffff81003791>] ret_from_fork_asm+0x11/0x20
unreferenced object 0xffff888107c9ac40 (size 64):
comm "kunit_try_catch", pid 1071, jiffies 4294670595 (age 732.843s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk
a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff ........x.v.....
backtrace:
[<ffffffff817e0167>] kmalloc_trace+0x27/0xa0
[<ffffffff819c11cf>] damon_new_target+0x3f/0x1b0
[<ffffffff819c7d55>] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0
[<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffffffff81003791>] ret_from_fork_asm+0x11/0x20
unreferenced object 0xffff8881079ccc80 (size 56):
comm "kunit_try_catch", pid 1071, jiffies 4294670595 (age 732.843s)
hex dump (first 32 bytes):
05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................
6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk
backtrace:
[<ffffffff819bc492>] damon_new_region+0x22/0x1c0
[<ffffffff819c7d91>] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0
[<ffffffff819c851e>] damon_test_apply_three_regions2+0x21e/0x260
[<ffffffff829fce6a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
[<ffffffff81237cf6>] kthread+0x2b6/0x380
[<ffffffff81097add>] ret_from_fork+0x2d/0x70
[<ffff
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9f86d624292c238203b3687cdb870a2cde1a6f9b , < 9a4fe81a8644b717d57d81ce5849e16583b13fe8
(git)
Affected: 9f86d624292c238203b3687cdb870a2cde1a6f9b , < 6b522001693aa113d97a985abc5f6932972e8e86 (git) Affected: 9f86d624292c238203b3687cdb870a2cde1a6f9b , < 45120b15743fa7c0aa53d5db6dfb4c8f87be4abd (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T15:35:56.845645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:24:06.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:20.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9a4fe81a8644b717d57d81ce5849e16583b13fe8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6b522001693aa113d97a985abc5f6932972e8e86"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/45120b15743fa7c0aa53d5db6dfb4c8f87be4abd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/vaddr-test.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a4fe81a8644b717d57d81ce5849e16583b13fe8",
"status": "affected",
"version": "9f86d624292c238203b3687cdb870a2cde1a6f9b",
"versionType": "git"
},
{
"lessThan": "6b522001693aa113d97a985abc5f6932972e8e86",
"status": "affected",
"version": "9f86d624292c238203b3687cdb870a2cde1a6f9b",
"versionType": "git"
},
{
"lessThan": "45120b15743fa7c0aa53d5db6dfb4c8f87be4abd",
"status": "affected",
"version": "9f86d624292c238203b3687cdb870a2cde1a6f9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/vaddr-test.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.6",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()\n\nWhen CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y\nand CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected.\n\nSince commit 9f86d624292c (\"mm/damon/vaddr-test: remove unnecessary\nvariables\"), the damon_destroy_ctx() is removed, but still call\ndamon_new_target() and damon_new_region(), the damon_region which is\nallocated by kmem_cache_alloc() in damon_new_region() and the damon_target\nwhich is allocated by kmalloc in damon_new_target() are not freed. And\nthe damon_region which is allocated in damon_new_region() in\ndamon_set_regions() is also not freed.\n\nSo use damon_destroy_target to free all the damon_regions and damon_target.\n\n unreferenced object 0xffff888107c9a940 (size 64):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n 60 c7 9c 07 81 88 ff ff f8 cb 9c 07 81 88 ff ff `...............\n backtrace:\n [\u003cffffffff817e0167\u003e] kmalloc_trace+0x27/0xa0\n [\u003cffffffff819c11cf\u003e] damon_new_target+0x3f/0x1b0\n [\u003cffffffff819c7d55\u003e] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [\u003cffffffff819c82be\u003e] damon_test_apply_three_regions1+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffffffff81003791\u003e] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079cc740 (size 56):\n comm \"kunit_try_catch\", pid 1069, jiffies 4294670592 (age 732.761s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [\u003cffffffff819bc492\u003e] damon_new_region+0x22/0x1c0\n [\u003cffffffff819c7d91\u003e] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [\u003cffffffff819c82be\u003e] damon_test_apply_three_regions1+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffffffff81003791\u003e] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff888107c9ac40 (size 64):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 06 00 00 00 6b 6b 6b 6b ............kkkk\n a0 cc 9c 07 81 88 ff ff 78 a1 76 07 81 88 ff ff ........x.v.....\n backtrace:\n [\u003cffffffff817e0167\u003e] kmalloc_trace+0x27/0xa0\n [\u003cffffffff819c11cf\u003e] damon_new_target+0x3f/0x1b0\n [\u003cffffffff819c7d55\u003e] damon_do_test_apply_three_regions.constprop.0+0x95/0x3e0\n [\u003cffffffff819c851e\u003e] damon_test_apply_three_regions2+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffffffff81003791\u003e] ret_from_fork_asm+0x11/0x20\n unreferenced object 0xffff8881079ccc80 (size 56):\n comm \"kunit_try_catch\", pid 1071, jiffies 4294670595 (age 732.843s)\n hex dump (first 32 bytes):\n 05 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ................\n 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk\n backtrace:\n [\u003cffffffff819bc492\u003e] damon_new_region+0x22/0x1c0\n [\u003cffffffff819c7d91\u003e] damon_do_test_apply_three_regions.constprop.0+0xd1/0x3e0\n [\u003cffffffff819c851e\u003e] damon_test_apply_three_regions2+0x21e/0x260\n [\u003cffffffff829fce6a\u003e] kunit_generic_run_threadfn_adapter+0x4a/0x90\n [\u003cffffffff81237cf6\u003e] kthread+0x2b6/0x380\n [\u003cffffffff81097add\u003e] ret_from_fork+0x2d/0x70\n [\u003cffff\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:38:46.798Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a4fe81a8644b717d57d81ce5849e16583b13fe8"
},
{
"url": "https://git.kernel.org/stable/c/6b522001693aa113d97a985abc5f6932972e8e86"
},
{
"url": "https://git.kernel.org/stable/c/45120b15743fa7c0aa53d5db6dfb4c8f87be4abd"
}
],
"title": "mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52560",
"datePublished": "2024-03-02T21:59:34.084Z",
"dateReserved": "2024-03-02T21:55:42.566Z",
"dateUpdated": "2025-05-04T07:38:46.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26583 (GCVE-0-2024-26583)
Vulnerability from cvelistv5 – Published: 2024-02-21 14:59 – Updated: 2025-11-04 18:29
VLAI?
EPSS
Title
tls: fix race between async notify and socket close
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: fix race between async notify and socket close
The submitting thread (one which called recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete()
so any code past that point risks touching already freed data.
Try to avoid the locking and extra flags altogether.
Have the main thread hold an extra reference, this way
we can depend solely on the atomic ref counter for
synchronization.
Don't futz with reiniting the completion, either, we are now
tightly controlling when completion fires.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0cada33241d9de205522e3858b18e506ca5cce2c , < f17d21ea73918ace8afb9c2d8e734dbf71c2c9d7
(git)
Affected: 0cada33241d9de205522e3858b18e506ca5cce2c , < 7a3ca06d04d589deec81f56229a9a9d62352ce01 (git) Affected: 0cada33241d9de205522e3858b18e506ca5cce2c , < 86dc27ee36f558fe223dbdfbfcb6856247356f4a (git) Affected: 0cada33241d9de205522e3858b18e506ca5cce2c , < 6209319b2efdd8524691187ee99c40637558fa33 (git) Affected: 0cada33241d9de205522e3858b18e506ca5cce2c , < aec7961916f3f9e88766e2688992da6980f11b8d (git) Affected: cf4cc95a15f599560c7abd89095a7973a4b9cec3 (git) Affected: 9b81d43da15e56ed89f083f326561acdcaf549ce (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:41:40.480459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:01.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:29:46.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f17d21ea73918ace8afb9c2d8e734dbf71c2c9d7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tls.h",
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f17d21ea73918ace8afb9c2d8e734dbf71c2c9d7",
"status": "affected",
"version": "0cada33241d9de205522e3858b18e506ca5cce2c",
"versionType": "git"
},
{
"lessThan": "7a3ca06d04d589deec81f56229a9a9d62352ce01",
"status": "affected",
"version": "0cada33241d9de205522e3858b18e506ca5cce2c",
"versionType": "git"
},
{
"lessThan": "86dc27ee36f558fe223dbdfbfcb6856247356f4a",
"status": "affected",
"version": "0cada33241d9de205522e3858b18e506ca5cce2c",
"versionType": "git"
},
{
"lessThan": "6209319b2efdd8524691187ee99c40637558fa33",
"status": "affected",
"version": "0cada33241d9de205522e3858b18e506ca5cce2c",
"versionType": "git"
},
{
"lessThan": "aec7961916f3f9e88766e2688992da6980f11b8d",
"status": "affected",
"version": "0cada33241d9de205522e3858b18e506ca5cce2c",
"versionType": "git"
},
{
"status": "affected",
"version": "cf4cc95a15f599560c7abd89095a7973a4b9cec3",
"versionType": "git"
},
{
"status": "affected",
"version": "9b81d43da15e56ed89f083f326561acdcaf549ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tls.h",
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon\u0027t futz with reiniting the completion, either, we are now\ntightly controlling when completion fires."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:54:14.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f17d21ea73918ace8afb9c2d8e734dbf71c2c9d7"
},
{
"url": "https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01"
},
{
"url": "https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a"
},
{
"url": "https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33"
},
{
"url": "https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d"
}
],
"title": "tls: fix race between async notify and socket close",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26583",
"datePublished": "2024-02-21T14:59:11.845Z",
"dateReserved": "2024-02-19T14:20:24.125Z",
"dateUpdated": "2025-11-04T18:29:46.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52877 (GCVE-0-2023-52877)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:32 – Updated: 2025-05-04 07:44
VLAI?
EPSS
Title
usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
It is possible that typec_register_partner() returns ERR_PTR on failure.
When port->partner is an error, a NULL pointer dereference may occur as
shown below.
[91222.095236][ T319] typec port0: failed to register partner (-17)
...
[91225.061491][ T319] Unable to handle kernel NULL pointer dereference
at virtual address 000000000000039f
[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc
[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc
[91225.308067][ T319] Call trace:
[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc
[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8
[91225.355900][ T319] kthread_worker_fn+0x178/0x58c
[91225.355902][ T319] kthread+0x150/0x200
[91225.355905][ T319] ret_from_fork+0x10/0x30
Add a check for port->partner to avoid dereferencing a NULL pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e1d4c49fbc86dab6e005d66f066bd53c9479cde , < e5f53a68a596e04df3fde3099273435a30b6fdac
(git)
Affected: 5e1d4c49fbc86dab6e005d66f066bd53c9479cde , < e7a802447c491903aa7cb45967aa2a934a4e63fc (git) Affected: 5e1d4c49fbc86dab6e005d66f066bd53c9479cde , < 9ee038590d808a95d16adf92818dcd4752273c08 (git) Affected: 5e1d4c49fbc86dab6e005d66f066bd53c9479cde , < b37a168c0137156042a0ca9626651b5a789e822b (git) Affected: 5e1d4c49fbc86dab6e005d66f066bd53c9479cde , < 4987daf86c152ff882d51572d154ad12e4ff3a4b (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52877",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T19:16:07.522837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T19:16:15.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:36.091Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/tcpm/tcpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5f53a68a596e04df3fde3099273435a30b6fdac",
"status": "affected",
"version": "5e1d4c49fbc86dab6e005d66f066bd53c9479cde",
"versionType": "git"
},
{
"lessThan": "e7a802447c491903aa7cb45967aa2a934a4e63fc",
"status": "affected",
"version": "5e1d4c49fbc86dab6e005d66f066bd53c9479cde",
"versionType": "git"
},
{
"lessThan": "9ee038590d808a95d16adf92818dcd4752273c08",
"status": "affected",
"version": "5e1d4c49fbc86dab6e005d66f066bd53c9479cde",
"versionType": "git"
},
{
"lessThan": "b37a168c0137156042a0ca9626651b5a789e822b",
"status": "affected",
"version": "5e1d4c49fbc86dab6e005d66f066bd53c9479cde",
"versionType": "git"
},
{
"lessThan": "4987daf86c152ff882d51572d154ad12e4ff3a4b",
"status": "affected",
"version": "5e1d4c49fbc86dab6e005d66f066bd53c9479cde",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/tcpm/tcpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.138",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.62",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.1",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port-\u003epartner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][ T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][ T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][ T319] Call trace:\n[91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][ T319] kthread_worker_fn+0x178/0x58c\n[91225.355902][ T319] kthread+0x150/0x200\n[91225.355905][ T319] ret_from_fork+0x10/0x30\n\nAdd a check for port-\u003epartner to avoid dereferencing a NULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:44:59.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac"
},
{
"url": "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc"
},
{
"url": "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08"
},
{
"url": "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b"
},
{
"url": "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b"
}
],
"title": "usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52877",
"datePublished": "2024-05-21T15:32:09.946Z",
"dateReserved": "2024-05-21T15:19:24.264Z",
"dateUpdated": "2025-05-04T07:44:59.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35853 (GCVE-0-2024-35853)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:47 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
The rehash delayed work migrates filters from one region to another.
This is done by iterating over all chunks (all the filters with the same
priority) in the region and in each chunk iterating over all the
filters.
If the migration fails, the code tries to migrate the filters back to
the old region. However, the rollback itself can also fail in which case
another migration will be erroneously performed. Besides the fact that
this ping pong is not a very good idea, it also creates a problem.
Each virtual chunk references two chunks: The currently used one
('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the
first holds the chunk we want to migrate filters to and the second holds
the chunk we are migrating filters from.
The code currently assumes - but does not verify - that the backup chunk
does not exist (NULL) if the currently used chunk does not reference the
target region. This assumption breaks when we are trying to rollback a
rollback, resulting in the backup chunk being overwritten and leaked
[1].
Fix by not rolling back a failed rollback and add a warning to avoid
future cases.
[1]
WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20
Modules linked in:
CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14
Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
RIP: 0010:parman_destroy+0x17/0x20
[...]
Call Trace:
<TASK>
mlxsw_sp_acl_atcam_region_fini+0x19/0x60
mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0
mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470
process_one_work+0x151/0x370
worker_thread+0x2cb/0x3e0
kthread+0xd0/0x100
ret_from_fork+0x34/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>
Severity ?
6.4 (Medium)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
843500518509128a935edab96bd8efef7c54669e , < c6f3fa7f5a748bf6e5c4eb742686d6952f854e76
(git)
Affected: 843500518509128a935edab96bd8efef7c54669e , < 617e98ba4c50f4547c9eb0946b1cfc26937d70d1 (git) Affected: 843500518509128a935edab96bd8efef7c54669e , < 413a01886c3958d4b8aac23a3bff3d430b92093e (git) Affected: 843500518509128a935edab96bd8efef7c54669e , < b822644fd90992ee362c5e0c8d2556efc8856c76 (git) Affected: 843500518509128a935edab96bd8efef7c54669e , < 0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf (git) Affected: 843500518509128a935edab96bd8efef7c54669e , < b3fd51f684a0711504f82de510da109ae639722d (git) Affected: 843500518509128a935edab96bd8efef7c54669e , < 8ca3f7a7b61393804c46f170743c3b839df13977 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "c6f3fa7f5a74",
"status": "affected",
"version": "843500518509",
"versionType": "git"
},
{
"lessThan": "617e98ba4c50",
"status": "affected",
"version": "843500518509",
"versionType": "git"
},
{
"lessThan": "413a01886c39",
"status": "affected",
"version": "843500518509",
"versionType": "git"
},
{
"lessThan": "b822644fd909",
"status": "affected",
"version": "843500518509",
"versionType": "git"
},
{
"lessThan": "0ae8ff7b6d42",
"status": "affected",
"version": "843500518509",
"versionType": "git"
},
{
"lessThan": "b3fd51f684a0",
"status": "affected",
"version": "843500518509",
"versionType": "git"
},
{
"lessThan": "8ca3f7a7b613",
"status": "affected",
"version": "843500518509",
"versionType": "git"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T17:34:35.252109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T13:51:48.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6f3fa7f5a748bf6e5c4eb742686d6952f854e76",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
},
{
"lessThan": "617e98ba4c50f4547c9eb0946b1cfc26937d70d1",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
},
{
"lessThan": "413a01886c3958d4b8aac23a3bff3d430b92093e",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
},
{
"lessThan": "b822644fd90992ee362c5e0c8d2556efc8856c76",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
},
{
"lessThan": "0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
},
{
"lessThan": "b3fd51f684a0711504f82de510da109ae639722d",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
},
{
"lessThan": "8ca3f7a7b61393804c46f170743c3b839df13977",
"status": "affected",
"version": "843500518509128a935edab96bd8efef7c54669e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.158",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.90",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.9",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n(\u0027vchunk-\u003echunk\u0027) and a backup (\u0027vchunk-\u003echunk2\u0027). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \u003cTASK\u003e\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:52.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76"
},
{
"url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1"
},
{
"url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e"
},
{
"url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76"
},
{
"url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf"
},
{
"url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d"
},
{
"url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977"
}
],
"title": "mlxsw: spectrum_acl_tcam: Fix memory leak during rehash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35853",
"datePublished": "2024-05-17T14:47:30.109Z",
"dateReserved": "2024-05-17T13:50:33.106Z",
"dateUpdated": "2025-05-04T09:06:52.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47236 (GCVE-0-2021-47236)
Vulnerability from cvelistv5 – Published: 2024-05-21 14:19 – Updated: 2025-05-04 07:06
VLAI?
EPSS
Title
net: cdc_eem: fix tx fixup skb leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cdc_eem: fix tx fixup skb leak
when usbnet transmit a skb, eem fixup it in eem_tx_fixup(),
if skb_copy_expand() failed, it return NULL,
usbnet_start_xmit() will have no chance to free original skb.
fix it by free orginal skb in eem_tx_fixup() first,
then check skb clone status, if failed, return NULL to usbnet.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f722c0978b04acba209f8ca1896ad05814bc3a3 , < f12554b0ff639e74612cc01b3b4a049e098d2d65
(git)
Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < 14184ec5c958b589ba934da7363a2877879204df (git) Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < 1bcacd6088d61c0ac6a990d87975600a81f3247e (git) Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < f4e6a7f19c82f39b1803e91c54718f0d7143767d (git) Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < 81de2ed06df8b5451e050fe6a318af3263dbff3f (git) Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < 05b2b9f7d24b5663d9b47427fe1555bdafd3ea02 (git) Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < b4f7a9fc9d094c0c4a66f2ad7c37b1dbe9e78f88 (git) Affected: 9f722c0978b04acba209f8ca1896ad05814bc3a3 , < c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:38:01.951930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:39:57.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:32:07.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f12554b0ff639e74612cc01b3b4a049e098d2d65"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/14184ec5c958b589ba934da7363a2877879204df"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1bcacd6088d61c0ac6a990d87975600a81f3247e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f4e6a7f19c82f39b1803e91c54718f0d7143767d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/81de2ed06df8b5451e050fe6a318af3263dbff3f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/05b2b9f7d24b5663d9b47427fe1555bdafd3ea02"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b4f7a9fc9d094c0c4a66f2ad7c37b1dbe9e78f88"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f12554b0ff639e74612cc01b3b4a049e098d2d65",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "14184ec5c958b589ba934da7363a2877879204df",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "1bcacd6088d61c0ac6a990d87975600a81f3247e",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "f4e6a7f19c82f39b1803e91c54718f0d7143767d",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "81de2ed06df8b5451e050fe6a318af3263dbff3f",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "05b2b9f7d24b5663d9b47427fe1555bdafd3ea02",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "b4f7a9fc9d094c0c4a66f2ad7c37b1dbe9e78f88",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
},
{
"lessThan": "c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7",
"status": "affected",
"version": "9f722c0978b04acba209f8ca1896ad05814bc3a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/cdc_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.274",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.274",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.238",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.196",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.128",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.46",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_eem: fix tx fixup skb leak\n\nwhen usbnet transmit a skb, eem fixup it in eem_tx_fixup(),\nif skb_copy_expand() failed, it return NULL,\nusbnet_start_xmit() will have no chance to free original skb.\n\nfix it by free orginal skb in eem_tx_fixup() first,\nthen check skb clone status, if failed, return NULL to usbnet."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:06:52.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f12554b0ff639e74612cc01b3b4a049e098d2d65"
},
{
"url": "https://git.kernel.org/stable/c/14184ec5c958b589ba934da7363a2877879204df"
},
{
"url": "https://git.kernel.org/stable/c/1bcacd6088d61c0ac6a990d87975600a81f3247e"
},
{
"url": "https://git.kernel.org/stable/c/f4e6a7f19c82f39b1803e91c54718f0d7143767d"
},
{
"url": "https://git.kernel.org/stable/c/81de2ed06df8b5451e050fe6a318af3263dbff3f"
},
{
"url": "https://git.kernel.org/stable/c/05b2b9f7d24b5663d9b47427fe1555bdafd3ea02"
},
{
"url": "https://git.kernel.org/stable/c/b4f7a9fc9d094c0c4a66f2ad7c37b1dbe9e78f88"
},
{
"url": "https://git.kernel.org/stable/c/c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7"
}
],
"title": "net: cdc_eem: fix tx fixup skb leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47236",
"datePublished": "2024-05-21T14:19:37.724Z",
"dateReserved": "2024-04-10T18:59:19.531Z",
"dateUpdated": "2025-05-04T07:06:52.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35852 (GCVE-0-2024-35852)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:47 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
The rehash delayed work is rescheduled with a delay if the number of
credits at end of the work is not negative as supposedly it means that
the migration ended. Otherwise, it is rescheduled immediately.
After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during
rehash" the above is no longer accurate as a non-negative number of
credits is no longer indicative of the migration being done. It can also
happen if the work encountered an error in which case the migration will
resume the next time the work is scheduled.
The significance of the above is that it is possible for the work to be
pending and associated with hints that were allocated when the migration
started. This leads to the hints being leaked [1] when the work is
canceled while pending as part of ACL region dismantle.
Fix by freeing the hints if hints are associated with a work that was
canceled while pending.
Blame the original commit since the reliance on not having a pending
work associated with hints is fragile.
[1]
unreferenced object 0xffff88810e7c3000 (size 256):
comm "kworker/0:16", pid 176, jiffies 4295460353
hex dump (first 32 bytes):
00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......
00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........
backtrace (crc 2544ddb9):
[<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0
[<000000004d9a1ad9>] objagg_hints_get+0x42/0x390
[<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400
[<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160
[<00000000e81fd734>] process_one_work+0x59c/0xf20
[<00000000ceee9e81>] worker_thread+0x799/0x12c0
[<00000000bda6fe39>] kthread+0x246/0x300
[<0000000070056d23>] ret_from_fork+0x34/0x70
[<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c9c9af91f1d9a636aecc55302c792538e549a430 , < 51cefc9da400b953fee749c9e5d26cd4a2b5d758
(git)
Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 857ed800133ffcfcee28582090b63b0cbb8ba59d (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 63d814d93c5cce4c18284adc810028f28dca493f (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < 5bfe7bf9656ed2633718388f12b7c38b86414a04 (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < d72dd6fcd7886d0523afbab8b4a4b22d17addd7d (git) Affected: c9c9af91f1d9a636aecc55302c792538e549a430 , < fb4e2b70a7194b209fc7320bbf33b375f7114bd5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T18:41:32.237249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:10.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "51cefc9da400b953fee749c9e5d26cd4a2b5d758",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "857ed800133ffcfcee28582090b63b0cbb8ba59d",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "63d814d93c5cce4c18284adc810028f28dca493f",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "5bfe7bf9656ed2633718388f12b7c38b86414a04",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "d72dd6fcd7886d0523afbab8b4a4b22d17addd7d",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
},
{
"lessThan": "fb4e2b70a7194b209fc7320bbf33b375f7114bd5",
"status": "affected",
"version": "c9c9af91f1d9a636aecc55302c792538e549a430",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.158",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.90",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.9",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [\u003c00000000cf8cfab3\u003e] kmalloc_trace+0x23f/0x2a0\n [\u003c000000004d9a1ad9\u003e] objagg_hints_get+0x42/0x390\n [\u003c000000000b143cf3\u003e] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [\u003c0000000059bdb60a\u003e] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [\u003c00000000e81fd734\u003e] process_one_work+0x59c/0xf20\n [\u003c00000000ceee9e81\u003e] worker_thread+0x799/0x12c0\n [\u003c00000000bda6fe39\u003e] kthread+0x246/0x300\n [\u003c0000000070056d23\u003e] ret_from_fork+0x34/0x70\n [\u003c00000000dea2b93e\u003e] ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:51.339Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758"
},
{
"url": "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d"
},
{
"url": "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f"
},
{
"url": "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04"
},
{
"url": "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab"
},
{
"url": "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d"
},
{
"url": "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5"
}
],
"title": "mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35852",
"datePublished": "2024-05-17T14:47:29.441Z",
"dateReserved": "2024-05-17T13:50:33.106Z",
"dateUpdated": "2025-05-04T09:06:51.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35855 (GCVE-0-2024-35855)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:47 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
The rule activity update delayed work periodically traverses the list of
configured rules and queries their activity from the device.
As part of this task it accesses the entry pointed by 'ventry->entry',
but this entry can be changed concurrently by the rehash delayed work,
leading to a use-after-free [1].
Fix by closing the race and perform the activity query under the
'vregion->lock' mutex.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140
Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181
CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2
Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work
Call Trace:
<TASK>
dump_stack_lvl+0xc6/0x120
print_report+0xce/0x670
kasan_report+0xd7/0x110
mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140
mlxsw_sp_acl_rule_activity_update_work+0x219/0x400
process_one_work+0x8eb/0x19b0
worker_thread+0x6c9/0xf70
kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1039:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
__kmalloc+0x19c/0x360
mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0
mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50
mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
process_one_work+0x8eb/0x19b0
worker_thread+0x6c9/0xf70
kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80
ret_from_fork_asm+0x1a/0x30
Freed by task 1039:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
poison_slab_object+0x102/0x170
__kasan_slab_free+0x14/0x30
kfree+0xc1/0x290
mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50
mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
process_one_work+0x8eb/0x19b0
worker_thread+0x6c9/0xf70
kthread+0x2c9/0x3b0
ret_from_fork+0x4d/0x80
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2bffc5322fd8679e879cd6370881ee50cf141ada , < 1b73f6e4ea770410a937a8db98f77e52594d23a0
(git)
Affected: 2bffc5322fd8679e879cd6370881ee50cf141ada , < e24d2487424779c02760ff50cd9021b8676e19ef (git) Affected: 2bffc5322fd8679e879cd6370881ee50cf141ada , < c17976b42d546ee118ca300db559630ee96fb758 (git) Affected: 2bffc5322fd8679e879cd6370881ee50cf141ada , < b996e8699da810e4c915841d6aaef761007f933a (git) Affected: 2bffc5322fd8679e879cd6370881ee50cf141ada , < feabdac2057e863d0e140a2adf3d232eb4882db4 (git) Affected: 2bffc5322fd8679e879cd6370881ee50cf141ada , < b183b915beef818a25e3154d719ca015a1ae0770 (git) Affected: 2bffc5322fd8679e879cd6370881ee50cf141ada , < 79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T16:58:00.643012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:33:37.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b73f6e4ea770410a937a8db98f77e52594d23a0",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
},
{
"lessThan": "e24d2487424779c02760ff50cd9021b8676e19ef",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
},
{
"lessThan": "c17976b42d546ee118ca300db559630ee96fb758",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
},
{
"lessThan": "b996e8699da810e4c915841d6aaef761007f933a",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
},
{
"lessThan": "feabdac2057e863d0e140a2adf3d232eb4882db4",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
},
{
"lessThan": "b183b915beef818a25e3154d719ca015a1ae0770",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
},
{
"lessThan": "79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4",
"status": "affected",
"version": "2bffc5322fd8679e879cd6370881ee50cf141ada",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.158",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.90",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.9",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by \u0027ventry-\u003eentry\u0027,\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n\u0027vregion-\u003elock\u0027 mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:55.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0"
},
{
"url": "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef"
},
{
"url": "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758"
},
{
"url": "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a"
},
{
"url": "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4"
},
{
"url": "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770"
},
{
"url": "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4"
}
],
"title": "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35855",
"datePublished": "2024-05-17T14:47:31.436Z",
"dateReserved": "2024-05-17T13:50:33.106Z",
"dateUpdated": "2025-05-04T09:06:55.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47495 (GCVE-0-2021-47495)
Vulnerability from cvelistv5 – Published: 2024-05-22 08:19 – Updated: 2025-12-18 11:37
VLAI?
EPSS
Title
usbnet: sanity check for maxpacket
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: sanity check for maxpacket
maxpacket of 0 makes no sense and oopses as we need to divide
by it. Give up.
V2: fixed typo in log and stylistic issues
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b9eba0a4a527e04d712f0e0401e5391ef124b33e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 524f333e98138d909a0a0c574a9ff6737dce2767 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 74b3b27cf9fecce00cd8918b7882fd81191d0aa4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 002d82227c0abe29118cf80f7e2f396b22d448ed (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 492140e45d2bf27c1014243f8616a9b612144e20 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 693ecbe8f799405f8775719deedb1f76265d375a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7e8b6a4f18edee070213cb6a77118e8a412253c5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 397430b50a363d8b7bdda00522123f82df6adc5e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T15:49:07.936135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:15:06.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:39:59.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b9eba0a4a527e04d712f0e0401e5391ef124b33e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/524f333e98138d909a0a0c574a9ff6737dce2767"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/74b3b27cf9fecce00cd8918b7882fd81191d0aa4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/002d82227c0abe29118cf80f7e2f396b22d448ed"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/492140e45d2bf27c1014243f8616a9b612144e20"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/693ecbe8f799405f8775719deedb1f76265d375a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7e8b6a4f18edee070213cb6a77118e8a412253c5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/397430b50a363d8b7bdda00522123f82df6adc5e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9eba0a4a527e04d712f0e0401e5391ef124b33e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "524f333e98138d909a0a0c574a9ff6737dce2767",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74b3b27cf9fecce00cd8918b7882fd81191d0aa4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "002d82227c0abe29118cf80f7e2f396b22d448ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "492140e45d2bf27c1014243f8616a9b612144e20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "693ecbe8f799405f8775719deedb1f76265d375a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e8b6a4f18edee070213cb6a77118e8a412253c5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "397430b50a363d8b7bdda00522123f82df6adc5e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.14.*",
"status": "unaffected",
"version": "5.14.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.289",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.254",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.215",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.157",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.77",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.14.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: sanity check for maxpacket\n\nmaxpacket of 0 makes no sense and oopses as we need to divide\nby it. Give up.\n\nV2: fixed typo in log and stylistic issues"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T11:37:43.236Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9eba0a4a527e04d712f0e0401e5391ef124b33e"
},
{
"url": "https://git.kernel.org/stable/c/524f333e98138d909a0a0c574a9ff6737dce2767"
},
{
"url": "https://git.kernel.org/stable/c/74b3b27cf9fecce00cd8918b7882fd81191d0aa4"
},
{
"url": "https://git.kernel.org/stable/c/002d82227c0abe29118cf80f7e2f396b22d448ed"
},
{
"url": "https://git.kernel.org/stable/c/492140e45d2bf27c1014243f8616a9b612144e20"
},
{
"url": "https://git.kernel.org/stable/c/693ecbe8f799405f8775719deedb1f76265d375a"
},
{
"url": "https://git.kernel.org/stable/c/7e8b6a4f18edee070213cb6a77118e8a412253c5"
},
{
"url": "https://git.kernel.org/stable/c/397430b50a363d8b7bdda00522123f82df6adc5e"
}
],
"title": "usbnet: sanity check for maxpacket",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47495",
"datePublished": "2024-05-22T08:19:42.732Z",
"dateReserved": "2024-05-22T06:20:56.202Z",
"dateUpdated": "2025-12-18T11:37:43.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47310 (GCVE-0-2021-47310)
Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2025-05-04 07:08
VLAI?
EPSS
Title
net: ti: fix UAF in tlan_remove_one
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ti: fix UAF in tlan_remove_one
priv is netdev private data and it cannot be
used after free_netdev() call. Using priv after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < a18a8d9cfbb112ad72e625372849adc3986fd6bf
(git)
Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < c263ae8c7e4c482387de5e6c89e213f8173fe8b6 (git) Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < 0538b0ab7d2c396e385694228c7cdcd2d2c514e9 (git) Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < a0a817b2d308fac090a05cbbe80988e073ac5193 (git) Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < b7e5563f2a7862a9e4796abb9908b092f677e3c1 (git) Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < f2a062fcfe1d6f1b0a86fa76ae21c277d65f4405 (git) Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < 93efab0ef2a607fff9166d447c4035f98b5db342 (git) Affected: 1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa , < 0336f8ffece62f882ab3012820965a786a983f70 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T15:35:38.649783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:14:17.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:32:08.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a18a8d9cfbb112ad72e625372849adc3986fd6bf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c263ae8c7e4c482387de5e6c89e213f8173fe8b6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0538b0ab7d2c396e385694228c7cdcd2d2c514e9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a0a817b2d308fac090a05cbbe80988e073ac5193"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b7e5563f2a7862a9e4796abb9908b092f677e3c1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f2a062fcfe1d6f1b0a86fa76ae21c277d65f4405"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/93efab0ef2a607fff9166d447c4035f98b5db342"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0336f8ffece62f882ab3012820965a786a983f70"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/tlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a18a8d9cfbb112ad72e625372849adc3986fd6bf",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "c263ae8c7e4c482387de5e6c89e213f8173fe8b6",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "0538b0ab7d2c396e385694228c7cdcd2d2c514e9",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "a0a817b2d308fac090a05cbbe80988e073ac5193",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "b7e5563f2a7862a9e4796abb9908b092f677e3c1",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "f2a062fcfe1d6f1b0a86fa76ae21c277d65f4405",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "93efab0ef2a607fff9166d447c4035f98b5db342",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
},
{
"lessThan": "0336f8ffece62f882ab3012820965a786a983f70",
"status": "affected",
"version": "1e0a8b13d35510e711fdf72e9a3e30bcb2bd49fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ti/tlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.277",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.277",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.13.*",
"status": "unaffected",
"version": "5.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.277",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.277",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.241",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.199",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.135",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.53",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13.5",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.14",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: fix UAF in tlan_remove_one\n\npriv is netdev private data and it cannot be\nused after free_netdev() call. Using priv after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:08:26.087Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a18a8d9cfbb112ad72e625372849adc3986fd6bf"
},
{
"url": "https://git.kernel.org/stable/c/c263ae8c7e4c482387de5e6c89e213f8173fe8b6"
},
{
"url": "https://git.kernel.org/stable/c/0538b0ab7d2c396e385694228c7cdcd2d2c514e9"
},
{
"url": "https://git.kernel.org/stable/c/a0a817b2d308fac090a05cbbe80988e073ac5193"
},
{
"url": "https://git.kernel.org/stable/c/b7e5563f2a7862a9e4796abb9908b092f677e3c1"
},
{
"url": "https://git.kernel.org/stable/c/f2a062fcfe1d6f1b0a86fa76ae21c277d65f4405"
},
{
"url": "https://git.kernel.org/stable/c/93efab0ef2a607fff9166d447c4035f98b5db342"
},
{
"url": "https://git.kernel.org/stable/c/0336f8ffece62f882ab3012820965a786a983f70"
}
],
"title": "net: ti: fix UAF in tlan_remove_one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47310",
"datePublished": "2024-05-21T14:35:28.649Z",
"dateReserved": "2024-05-21T14:28:16.972Z",
"dateUpdated": "2025-05-04T07:08:26.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35835 (GCVE-0-2024-35835)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:02 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
net/mlx5e: fix a double-free in arfs_create_groups
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: fix a double-free in arfs_create_groups
When `in` allocated by kvzalloc fails, arfs_create_groups will free
ft->g and return an error. However, arfs_create_table, the only caller of
arfs_create_groups, will hold this error and call to
mlx5e_destroy_flow_table, in which the ft->g will be freed again.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < e3d3ed8c152971dbe64c92c9ecb98fdb52abb629
(git)
Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < 2501afe6c4c9829d03abe9a368b83d9ea1b611b7 (git) Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5 (git) Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < c57ca114eb00e03274dd38108d07a3750fa3c056 (git) Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < 42876db001bbea7558e8676d1019f08f9390addb (git) Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7 (git) Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < 66cc521a739ccd5da057a1cb3d6346c6d0e7619b (git) Affected: 1cabe6b0965ec067ac60e8f182f16d479a3b9a5c , < 3c6d5189246f590e4e1f167991558bdb72a4738b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T17:01:13.319923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T21:08:42.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3d3ed8c152971dbe64c92c9ecb98fdb52abb629",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "2501afe6c4c9829d03abe9a368b83d9ea1b611b7",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "c57ca114eb00e03274dd38108d07a3750fa3c056",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "42876db001bbea7558e8676d1019f08f9390addb",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "66cc521a739ccd5da057a1cb3d6346c6d0e7619b",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
},
{
"lessThan": "3c6d5189246f590e4e1f167991558bdb72a4738b",
"status": "affected",
"version": "1cabe6b0965ec067ac60e8f182f16d479a3b9a5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a double-free in arfs_create_groups\n\nWhen `in` allocated by kvzalloc fails, arfs_create_groups will free\nft-\u003eg and return an error. However, arfs_create_table, the only caller of\narfs_create_groups, will hold this error and call to\nmlx5e_destroy_flow_table, in which the ft-\u003eg will be freed again."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:28.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3d3ed8c152971dbe64c92c9ecb98fdb52abb629"
},
{
"url": "https://git.kernel.org/stable/c/2501afe6c4c9829d03abe9a368b83d9ea1b611b7"
},
{
"url": "https://git.kernel.org/stable/c/cf116d9c3c2aebd653c2dfab5b10c278e9ec3ee5"
},
{
"url": "https://git.kernel.org/stable/c/c57ca114eb00e03274dd38108d07a3750fa3c056"
},
{
"url": "https://git.kernel.org/stable/c/42876db001bbea7558e8676d1019f08f9390addb"
},
{
"url": "https://git.kernel.org/stable/c/b21db3f1ab7967a81d6bbd328d28fe5a4c07a8a7"
},
{
"url": "https://git.kernel.org/stable/c/66cc521a739ccd5da057a1cb3d6346c6d0e7619b"
},
{
"url": "https://git.kernel.org/stable/c/3c6d5189246f590e4e1f167991558bdb72a4738b"
}
],
"title": "net/mlx5e: fix a double-free in arfs_create_groups",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35835",
"datePublished": "2024-05-17T14:02:23.469Z",
"dateReserved": "2024-05-17T13:50:33.103Z",
"dateUpdated": "2025-05-04T09:06:28.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26859 (GCVE-0-2024-26859)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2025-05-04 08:58
VLAI?
EPSS
Title
net/bnx2x: Prevent access to a freed page in page_pool
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/bnx2x: Prevent access to a freed page in page_pool
Fix race condition leading to system crash during EEH error handling
During EEH error recovery, the bnx2x driver's transmit timeout logic
could cause a race condition when handling reset tasks. The
bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),
which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()
SGEs are freed using bnx2x_free_rx_sge_range(). However, this could
overlap with the EEH driver's attempt to reset the device using
bnx2x_io_slot_reset(), which also tries to free SGEs. This race
condition can result in system crashes due to accessing freed memory
locations in bnx2x_free_rx_sge()
799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,
800 struct bnx2x_fastpath *fp, u16 index)
801 {
802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index];
803 struct page *page = sw_buf->page;
....
where sw_buf was set to NULL after the call to dma_unmap_page()
by the preceding thread.
EEH: Beginning: 'slot_reset'
PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()
bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...
bnx2x 0011:01:00.0: enabling device (0140 -> 0142)
bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc0080000025065fc
Oops: Kernel access of bad area, sig: 11 [#1]
.....
Call Trace:
[c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)
[c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0
[c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550
[c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60
[c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170
[c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0
[c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
To solve this issue, we need to verify page pool allocations before
freeing.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4cace675d687ebd2d813e90af80ff87ee85202f9 , < 7bcc090c81116c66936a7415f2c6b1483a4bcfd9
(git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 4f37d3a7e004bbf560c21441ca9c022168017ec4 (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 8eebff95ce9558be66a36aa7cfb43223f3ab4699 (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598 (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < cf7d8cba639ae792a42c2a137b495eac262ac36c (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < c51f8b6930db3f259b8820b589f2459d2df3fc68 (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 44f9f1abb0ecc43023225ab9539167facbabf0ec (git) Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < d27e2da94a42655861ca4baea30c8cd65546f25d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T14:02:31.556726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:09.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bcc090c81116c66936a7415f2c6b1483a4bcfd9",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "4f37d3a7e004bbf560c21441ca9c022168017ec4",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "8eebff95ce9558be66a36aa7cfb43223f3ab4699",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "cf7d8cba639ae792a42c2a137b495eac262ac36c",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "c51f8b6930db3f259b8820b589f2459d2df3fc68",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "44f9f1abb0ecc43023225ab9539167facbabf0ec",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
},
{
"lessThan": "d27e2da94a42655861ca4baea30c8cd65546f25d",
"status": "affected",
"version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.311",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.273",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver\u0027s transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver\u0027s attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801 {\n802\tstruct sw_rx_page *sw_buf = \u0026fp-\u003erx_page_ring[index];\n803 struct page *page = sw_buf-\u003epage;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n EEH: Beginning: \u0027slot_reset\u0027\n PCI 0011:01:00.0#10000: EEH: Invoking bnx2x-\u003eslot_reset()\n bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n bnx2x 0011:01:00.0: enabling device (0140 -\u003e 0142)\n bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --\u003e driver unload\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc0080000025065fc\n Oops: Kernel access of bad area, sig: 11 [#1]\n .....\n Call Trace:\n [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:58:08.974Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9"
},
{
"url": "https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4"
},
{
"url": "https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699"
},
{
"url": "https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598"
},
{
"url": "https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c"
},
{
"url": "https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb"
},
{
"url": "https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68"
},
{
"url": "https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec"
},
{
"url": "https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d"
}
],
"title": "net/bnx2x: Prevent access to a freed page in page_pool",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26859",
"datePublished": "2024-04-17T10:27:23.709Z",
"dateReserved": "2024-02-19T14:20:24.183Z",
"dateUpdated": "2025-05-04T08:58:08.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26759 (GCVE-0-2024-26759)
Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2025-05-04 08:55
VLAI?
EPSS
Title
mm/swap: fix race when skipping swapcache
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/swap: fix race when skipping swapcache
When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads
swapin the same entry at the same time, they get different pages (A, B).
Before one thread (T0) finishes the swapin and installs page (A) to the
PTE, another thread (T1) could finish swapin of page (B), swap_free the
entry, then swap out the possibly modified page reusing the same entry.
It breaks the pte_same check in (T0) because PTE value is unchanged,
causing ABA problem. Thread (T0) will install a stalled page (A) into the
PTE and cause data corruption.
One possible callstack is like this:
CPU0 CPU1
---- ----
do_swap_page() do_swap_page() with same entry
<direct swapin path> <direct swapin path>
<alloc page A> <alloc page B>
swap_read_folio() <- read to page A swap_read_folio() <- read to page B
<slow on later locks or interrupt> <finished swapin first>
... set_pte_at()
swap_free() <- entry is free
<write to page B, now page A stalled>
<swap out page B to same swap entry>
pte_same() <- Check pass, PTE seems
unchanged, but page A
is stalled!
swap_free() <- page B content lost!
set_pte_at() <- staled page A installed!
And besides, for ZRAM, swap_free() allows the swap device to discard the
entry content, so even if page (B) is not modified, if swap_read_folio()
on CPU0 happens later than swap_free() on CPU1, it may also cause data
loss.
To fix this, reuse swapcache_prepare which will pin the swap entry using
the cache flag, and allow only one thread to swap it in, also prevent any
parallel code from putting the entry in the cache. Release the pin after
PT unlocked.
Racers just loop and wait since it's a rare and very short event. A
schedule_timeout_uninterruptible(1) call is added to avoid repeated page
faults wasting too much CPU, causing livelock or adding too much noise to
perf statistics. A similar livelock issue was described in commit
029c4628b2eb ("mm: swap: get rid of livelock in swapin readahead")
Reproducer:
This race issue can be triggered easily using a well constructed
reproducer and patched brd (with a delay in read path) [1]:
With latest 6.8 mainline, race caused data loss can be observed easily:
$ gcc -g -lpthread test-thread-swap-race.c && ./a.out
Polulating 32MB of memory region...
Keep swapping out...
Starting round 0...
Spawning 65536 workers...
32746 workers spawned, wait for done...
Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!
Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!
Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!
Round 0 Failed, 15 data loss!
This reproducer spawns multiple threads sharing the same memory region
using a small swap device. Every two threads updates mapped pages one by
one in opposite direction trying to create a race, with one dedicated
thread keep swapping out the data out using madvise.
The reproducer created a reproduce rate of about once every 5 minutes, so
the race should be totally possible in production.
After this patch, I ran the reproducer for over a few hundred rounds and
no data loss observed.
Performance overhead is minimal, microbenchmark swapin 10G from 32G
zram:
Before: 10934698 us
After: 11157121 us
Cached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)
[kasong@tencent.com: v4]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0bcac06f27d7528591c27ac2b093ccd71c5d0168 , < 2dedda77d4493f3e92e414b272bfa60f1f51ed95
(git)
Affected: 0bcac06f27d7528591c27ac2b093ccd71c5d0168 , < 305152314df82b22cf9b181f3dc5fc411002079a (git) Affected: 0bcac06f27d7528591c27ac2b093ccd71c5d0168 , < d183a4631acfc7af955c02a02e739cec15f5234d (git) Affected: 0bcac06f27d7528591c27ac2b093ccd71c5d0168 , < 13ddaf26be324a7f951891ecd9ccd04466d27458 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-08T14:03:53.009974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:35.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/swap.h",
"mm/memory.c",
"mm/swap.h",
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2dedda77d4493f3e92e414b272bfa60f1f51ed95",
"status": "affected",
"version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168",
"versionType": "git"
},
{
"lessThan": "305152314df82b22cf9b181f3dc5fc411002079a",
"status": "affected",
"version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168",
"versionType": "git"
},
{
"lessThan": "d183a4631acfc7af955c02a02e739cec15f5234d",
"status": "affected",
"version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168",
"versionType": "git"
},
{
"lessThan": "13ddaf26be324a7f951891ecd9ccd04466d27458",
"status": "affected",
"version": "0bcac06f27d7528591c27ac2b093ccd71c5d0168",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/swap.h",
"mm/memory.c",
"mm/swap.h",
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n\u003cdirect swapin path\u003e \u003cdirect swapin path\u003e\n\u003calloc page A\u003e \u003calloc page B\u003e\nswap_read_folio() \u003c- read to page A swap_read_folio() \u003c- read to page B\n\u003cslow on later locks or interrupt\u003e \u003cfinished swapin first\u003e\n... set_pte_at()\n swap_free() \u003c- entry is free\n \u003cwrite to page B, now page A stalled\u003e\n \u003cswap out page B to same swap entry\u003e\npte_same() \u003c- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() \u003c- page B content lost!\nset_pte_at() \u003c- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it\u0027s a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c \u0026\u0026 ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:55:52.045Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95"
},
{
"url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a"
},
{
"url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d"
},
{
"url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458"
}
],
"title": "mm/swap: fix race when skipping swapcache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26759",
"datePublished": "2024-04-03T17:00:43.288Z",
"dateReserved": "2024-02-19T14:20:24.170Z",
"dateUpdated": "2025-05-04T08:55:52.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47073 (GCVE-0-2021-47073)
Vulnerability from cvelistv5 – Published: 2024-03-01 21:15 – Updated: 2025-05-04 07:03
VLAI?
EPSS
Title
platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems
where the Dell WMI interface is supported. While exit_dell_smbios_wmi()
unregisters it unconditionally, this leads to the following oops:
[ 175.722921] ------------[ cut here ]------------
[ 175.722925] Unexpected driver unregister!
[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40
...
[ 175.723089] Call Trace:
[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios]
...
[ 175.723148] ---[ end trace 064c34e1ad49509d ]---
Make the unregister happen on the same condition the register happens
to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a258e670434f404a4500b65ba1afea2c2b29bba , < 75cfc833da4a2111106d4c134e93e0c7f41e35e7
(git)
Affected: 1a258e670434f404a4500b65ba1afea2c2b29bba , < 6fa78a6b9a3beb676a010dc489c1257f7e432525 (git) Affected: 1a258e670434f404a4500b65ba1afea2c2b29bba , < 0cf036a0d325200e6c27b90908e51195bbc557b1 (git) Affected: 1a258e670434f404a4500b65ba1afea2c2b29bba , < 8d746ea7c687bab060a2c05a35c449302406cd52 (git) Affected: 1a258e670434f404a4500b65ba1afea2c2b29bba , < 3a53587423d25c87af4b4126a806a0575104b45e (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T22:11:59.293322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:23.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:24:39.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/75cfc833da4a2111106d4c134e93e0c7f41e35e7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6fa78a6b9a3beb676a010dc489c1257f7e432525"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0cf036a0d325200e6c27b90908e51195bbc557b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8d746ea7c687bab060a2c05a35c449302406cd52"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3a53587423d25c87af4b4126a806a0575104b45e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-smbios-wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75cfc833da4a2111106d4c134e93e0c7f41e35e7",
"status": "affected",
"version": "1a258e670434f404a4500b65ba1afea2c2b29bba",
"versionType": "git"
},
{
"lessThan": "6fa78a6b9a3beb676a010dc489c1257f7e432525",
"status": "affected",
"version": "1a258e670434f404a4500b65ba1afea2c2b29bba",
"versionType": "git"
},
{
"lessThan": "0cf036a0d325200e6c27b90908e51195bbc557b1",
"status": "affected",
"version": "1a258e670434f404a4500b65ba1afea2c2b29bba",
"versionType": "git"
},
{
"lessThan": "8d746ea7c687bab060a2c05a35c449302406cd52",
"status": "affected",
"version": "1a258e670434f404a4500b65ba1afea2c2b29bba",
"versionType": "git"
},
{
"lessThan": "3a53587423d25c87af4b4126a806a0575104b45e",
"status": "affected",
"version": "1a258e670434f404a4500b65ba1afea2c2b29bba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/dell/dell-smbios-wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.192",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.122",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.40",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios\n\ninit_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems\nwhere the Dell WMI interface is supported. While exit_dell_smbios_wmi()\nunregisters it unconditionally, this leads to the following oops:\n\n[ 175.722921] ------------[ cut here ]------------\n[ 175.722925] Unexpected driver unregister!\n[ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40\n...\n[ 175.723089] Call Trace:\n[ 175.723094] cleanup_module+0x5/0xedd [dell_smbios]\n...\n[ 175.723148] ---[ end trace 064c34e1ad49509d ]---\n\nMake the unregister happen on the same condition the register happens\nto fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:03:37.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75cfc833da4a2111106d4c134e93e0c7f41e35e7"
},
{
"url": "https://git.kernel.org/stable/c/6fa78a6b9a3beb676a010dc489c1257f7e432525"
},
{
"url": "https://git.kernel.org/stable/c/0cf036a0d325200e6c27b90908e51195bbc557b1"
},
{
"url": "https://git.kernel.org/stable/c/8d746ea7c687bab060a2c05a35c449302406cd52"
},
{
"url": "https://git.kernel.org/stable/c/3a53587423d25c87af4b4126a806a0575104b45e"
}
],
"title": "platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47073",
"datePublished": "2024-03-01T21:15:11.466Z",
"dateReserved": "2024-02-29T22:33:44.297Z",
"dateUpdated": "2025-05-04T07:03:37.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26585 (GCVE-0-2024-26585)
Vulnerability from cvelistv5 – Published: 2024-02-21 14:59 – Updated: 2025-11-04 18:29
VLAI?
EPSS
Title
tls: fix race between tx work scheduling and socket close
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: fix race between tx work scheduling and socket close
Similarly to previous commit, the submitting thread (recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete().
Reorder scheduling the work before calling complete().
This seems more logical in the first place, as it's
the inverse order of what the submitting thread will do.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a42055e8d2c30d4decfc13ce943d09c7b9dad221 , < dd32621f19243f89ce830919496a5dcc2158aa33
(git)
Affected: a42055e8d2c30d4decfc13ce943d09c7b9dad221 , < 196f198ca6fce04ba6ce262f5a0e4d567d7d219d (git) Affected: a42055e8d2c30d4decfc13ce943d09c7b9dad221 , < 6db22d6c7a6dc914b12c0469b94eb639b6a8a146 (git) Affected: a42055e8d2c30d4decfc13ce943d09c7b9dad221 , < e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57 (git) Affected: a42055e8d2c30d4decfc13ce943d09c7b9dad221 , < e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-28T17:07:29.305466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T17:07:36.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:29:48.732Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/196f198ca6fce04ba6ce262f5a0e4d567d7d219d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd32621f19243f89ce830919496a5dcc2158aa33",
"status": "affected",
"version": "a42055e8d2c30d4decfc13ce943d09c7b9dad221",
"versionType": "git"
},
{
"lessThan": "196f198ca6fce04ba6ce262f5a0e4d567d7d219d",
"status": "affected",
"version": "a42055e8d2c30d4decfc13ce943d09c7b9dad221",
"versionType": "git"
},
{
"lessThan": "6db22d6c7a6dc914b12c0469b94eb639b6a8a146",
"status": "affected",
"version": "a42055e8d2c30d4decfc13ce943d09c7b9dad221",
"versionType": "git"
},
{
"lessThan": "e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57",
"status": "affected",
"version": "a42055e8d2c30d4decfc13ce943d09c7b9dad221",
"versionType": "git"
},
{
"lessThan": "e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb",
"status": "affected",
"version": "a42055e8d2c30d4decfc13ce943d09c7b9dad221",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.165",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it\u0027s\nthe inverse order of what the submitting thread will do."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:51:37.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd32621f19243f89ce830919496a5dcc2158aa33"
},
{
"url": "https://git.kernel.org/stable/c/196f198ca6fce04ba6ce262f5a0e4d567d7d219d"
},
{
"url": "https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146"
},
{
"url": "https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57"
},
{
"url": "https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb"
}
],
"title": "tls: fix race between tx work scheduling and socket close",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26585",
"datePublished": "2024-02-21T14:59:13.088Z",
"dateReserved": "2024-02-19T14:20:24.125Z",
"dateUpdated": "2025-11-04T18:29:48.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26584 (GCVE-0-2024-26584)
Vulnerability from cvelistv5 – Published: 2024-02-21 14:59 – Updated: 2025-11-04 18:29
VLAI?
EPSS
Title
net: tls: handle backlogging of crypto requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tls: handle backlogging of crypto requests
Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our
requests to the crypto API, crypto_aead_{encrypt,decrypt} can return
-EBUSY instead of -EINPROGRESS in valid situations. For example, when
the cryptd queue for AESNI is full (easy to trigger with an
artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued
to the backlog but still processed. In that case, the async callback
will also be called twice: first with err == -EINPROGRESS, which it
seems we can just ignore, then with err == 0.
Compared to Sabrina's original patch this version uses the new
tls_*crypt_async_wait() helpers and converts the EBUSY to
EINPROGRESS to avoid having to modify all the error handling
paths. The handling is identical.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a54667f6728c2714a400f3c884727da74b6d1717 , < 3ade391adc584f17b5570fd205de3ad029090368
(git)
Affected: a54667f6728c2714a400f3c884727da74b6d1717 , < cd1bbca03f3c1d845ce274c0d0a66de8e5929f72 (git) Affected: a54667f6728c2714a400f3c884727da74b6d1717 , < 13eca403876bbea3716e82cdfe6f1e6febb38754 (git) Affected: a54667f6728c2714a400f3c884727da74b6d1717 , < ab6397f072e5097f267abf5cb08a8004e6b17694 (git) Affected: a54667f6728c2714a400f3c884727da74b6d1717 , < 8590541473188741055d27b955db0777569438e3 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-26T17:14:36.035758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:03.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:29:47.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ade391adc584f17b5570fd205de3ad029090368",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "cd1bbca03f3c1d845ce274c0d0a66de8e5929f72",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "13eca403876bbea3716e82cdfe6f1e6febb38754",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "ab6397f072e5097f267abf5cb08a8004e6b17694",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
},
{
"lessThan": "8590541473188741055d27b955db0777569438e3",
"status": "affected",
"version": "a54667f6728c2714a400f3c884727da74b6d1717",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.160",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we\u0027re setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina\u0027s original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:51:35.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ade391adc584f17b5570fd205de3ad029090368"
},
{
"url": "https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72"
},
{
"url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754"
},
{
"url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694"
},
{
"url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3"
}
],
"title": "net: tls: handle backlogging of crypto requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26584",
"datePublished": "2024-02-21T14:59:12.452Z",
"dateReserved": "2024-02-19T14:20:24.125Z",
"dateUpdated": "2025-11-04T18:29:47.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36007 (GCVE-0-2024-36007)
Vulnerability from cvelistv5 – Published: 2024-05-20 09:48 – Updated: 2025-05-04 09:10
VLAI?
EPSS
Title
mlxsw: spectrum_acl_tcam: Fix warning during rehash
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix warning during rehash
As previously explained, the rehash delayed work migrates filters from
one region to another. This is done by iterating over all chunks (all
the filters with the same priority) in the region and in each chunk
iterating over all the filters.
When the work runs out of credits it stores the current chunk and entry
as markers in the per-work context so that it would know where to resume
the migration from the next time the work is scheduled.
Upon error, the chunk marker is reset to NULL, but without resetting the
entry markers despite being relative to it. This can result in migration
being resumed from an entry that does not belong to the chunk being
migrated. In turn, this will eventually lead to a chunk being iterated
over as if it is an entry. Because of how the two structures happen to
be defined, this does not lead to KASAN splats, but to warnings such as
[1].
Fix by creating a helper that resets all the markers and call it from
all the places the currently only reset the chunk marker. For good
measures also call it when starting a completely new rehash. Add a
warning to avoid future cases.
[1]
WARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0
Modules linked in:
CPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29
Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
RIP: 0010:mlxsw_afk_encode+0x242/0x2f0
[...]
Call Trace:
<TASK>
mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0
mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0
mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290
mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470
process_one_work+0x151/0x370
worker_thread+0x2cb/0x3e0
kthread+0xd0/0x100
ret_from_fork+0x34/0x50
</TASK>
Severity ?
5.5 (Medium)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < 0b88631855026b55cad901ac28d081e0f358e596
(git)
Affected: 6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < 1d76bd2a0034d0d08045c1c6adf2235d88982952 (git) Affected: 6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < 039992b6d2df097c65f480dcf269de3d2656f573 (git) Affected: 6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < 751d352858108314efd33dddd5a9a2b6bf7d6916 (git) Affected: 6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < e890456051fe8c57944b911defb3e6de91315861 (git) Affected: 6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < 17e9e0bbae652b9b2049e51699e93dfa60b2988d (git) Affected: 6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf , < 743edc8547a92b6192aa1f1b6bb78233fa21dc9b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-31T18:47:44.179419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T15:10:37.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:30:11.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b88631855026b55cad901ac28d081e0f358e596",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
},
{
"lessThan": "1d76bd2a0034d0d08045c1c6adf2235d88982952",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
},
{
"lessThan": "039992b6d2df097c65f480dcf269de3d2656f573",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
},
{
"lessThan": "751d352858108314efd33dddd5a9a2b6bf7d6916",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
},
{
"lessThan": "e890456051fe8c57944b911defb3e6de91315861",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
},
{
"lessThan": "17e9e0bbae652b9b2049e51699e93dfa60b2988d",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
},
{
"lessThan": "743edc8547a92b6192aa1f1b6bb78233fa21dc9b",
"status": "affected",
"version": "6f9579d4e3021b17b0a4cde6b04a6c94c9575cdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.158",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.90",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.9",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \u003cTASK\u003e\n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:10:23.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596"
},
{
"url": "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952"
},
{
"url": "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573"
},
{
"url": "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916"
},
{
"url": "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861"
},
{
"url": "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d"
},
{
"url": "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b"
}
],
"title": "mlxsw: spectrum_acl_tcam: Fix warning during rehash",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36007",
"datePublished": "2024-05-20T09:48:06.947Z",
"dateReserved": "2024-05-17T13:50:33.151Z",
"dateUpdated": "2025-05-04T09:10:23.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47353 (GCVE-0-2021-47353)
Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2025-12-18 11:37
VLAI?
EPSS
Title
udf: Fix NULL pointer dereference in udf_symlink function
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Fix NULL pointer dereference in udf_symlink function
In function udf_symlink, epos.bh is assigned with the value returned
by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c
and returns the value of sb_getblk function that could be NULL.
Then, epos.bh is used without any check, causing a possible
NULL pointer dereference when sb_getblk fails.
This fix adds a check to validate the value of epos.bh.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2f3d9ddd32a28803baa547e6274983b67d5e287c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 371566f63cbd0bb6fbb25b8fe9d5798268d35af9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < baea588a42d675e35daeaddd10fbc9700550bc4d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3638705ecd5ad2785e996f820121c0ad15ce64b5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 80d505aee6398cf8beb72475c7edcf1733c1c68b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 21bf1414580c36ffc8d8de043beb3508cf812238 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aebed6b19e51a34003d998da5ebb1dfdd2cb1d02 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5150877e4d99f85057a458daac7cd7c01005d5c6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T19:03:03.353127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:14:54.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:32:08.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2f3d9ddd32a28803baa547e6274983b67d5e287c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/371566f63cbd0bb6fbb25b8fe9d5798268d35af9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/baea588a42d675e35daeaddd10fbc9700550bc4d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3638705ecd5ad2785e996f820121c0ad15ce64b5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/80d505aee6398cf8beb72475c7edcf1733c1c68b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/21bf1414580c36ffc8d8de043beb3508cf812238"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aebed6b19e51a34003d998da5ebb1dfdd2cb1d02"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5150877e4d99f85057a458daac7cd7c01005d5c6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f3d9ddd32a28803baa547e6274983b67d5e287c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "371566f63cbd0bb6fbb25b8fe9d5798268d35af9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "baea588a42d675e35daeaddd10fbc9700550bc4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3638705ecd5ad2785e996f820121c0ad15ce64b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "80d505aee6398cf8beb72475c7edcf1733c1c68b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "21bf1414580c36ffc8d8de043beb3508cf812238",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aebed6b19e51a34003d998da5ebb1dfdd2cb1d02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5150877e4d99f85057a458daac7cd7c01005d5c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.13.*",
"status": "unaffected",
"version": "5.13.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.276",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.276",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.133",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.51",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix NULL pointer dereference in udf_symlink function\n\nIn function udf_symlink, epos.bh is assigned with the value returned\nby udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c\nand returns the value of sb_getblk function that could be NULL.\nThen, epos.bh is used without any check, causing a possible\nNULL pointer dereference when sb_getblk fails.\n\nThis fix adds a check to validate the value of epos.bh."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T11:37:07.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f3d9ddd32a28803baa547e6274983b67d5e287c"
},
{
"url": "https://git.kernel.org/stable/c/371566f63cbd0bb6fbb25b8fe9d5798268d35af9"
},
{
"url": "https://git.kernel.org/stable/c/baea588a42d675e35daeaddd10fbc9700550bc4d"
},
{
"url": "https://git.kernel.org/stable/c/3638705ecd5ad2785e996f820121c0ad15ce64b5"
},
{
"url": "https://git.kernel.org/stable/c/80d505aee6398cf8beb72475c7edcf1733c1c68b"
},
{
"url": "https://git.kernel.org/stable/c/21bf1414580c36ffc8d8de043beb3508cf812238"
},
{
"url": "https://git.kernel.org/stable/c/aebed6b19e51a34003d998da5ebb1dfdd2cb1d02"
},
{
"url": "https://git.kernel.org/stable/c/5150877e4d99f85057a458daac7cd7c01005d5c6"
},
{
"url": "https://git.kernel.org/stable/c/fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43"
}
],
"title": "udf: Fix NULL pointer dereference in udf_symlink function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47353",
"datePublished": "2024-05-21T14:35:57.122Z",
"dateReserved": "2024-05-21T14:28:16.986Z",
"dateUpdated": "2025-12-18T11:37:07.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26974 (GCVE-0-2024-26974)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:20 – Updated: 2025-05-04 09:01
VLAI?
EPSS
Title
crypto: qat - resolve race condition during AER recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - resolve race condition during AER recovery
During the PCI AER system's error recovery process, the kernel driver
may encounter a race condition with freeing the reset_data structure's
memory. If the device restart will take more than 10 seconds the function
scheduling that restart will exit due to a timeout, and the reset_data
structure will be freed. However, this data structure is used for
completion notification after the restart is completed, which leads
to a UAF bug.
This results in a KFENCE bug notice.
BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]
Use-after-free read at 0x00000000bc56fddf (in kfence-#142):
adf_device_reset_worker+0x38/0xa0 [intel_qat]
process_one_work+0x173/0x340
To resolve this race condition, the memory associated to the container
of the work_struct is freed on the worker if the timeout expired,
otherwise on the function that schedules the worker.
The timeout detection can be done by checking if the caller is
still waiting for completion or not by using completion_done() function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < daba62d9eeddcc5b1081be7d348ca836c83c59d7
(git)
Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < 8e81cd58aee14a470891733181a47d123193ba81 (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < d03092550f526a79cf1ade7f0dfa74906f39eb71 (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < 4ae5a97781ce7d6ecc9c7055396535815b64ca4f (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < 226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < 8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < 0c2cf5142bfb634c0ef0a1a69cdf37950747d0be (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < bb279ead42263e9fb09480f02a4247b2c287d828 (git) Affected: d8cba25d2c68992a6e7c1d329b690a9ebe01167d , < 7d42e097607c4d246d99225bf2b195b6167a210c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26974",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T17:47:45.425638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:36.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_aer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "daba62d9eeddcc5b1081be7d348ca836c83c59d7",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "8e81cd58aee14a470891733181a47d123193ba81",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "d03092550f526a79cf1ade7f0dfa74906f39eb71",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "4ae5a97781ce7d6ecc9c7055396535815b64ca4f",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "0c2cf5142bfb634c0ef0a1a69cdf37950747d0be",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "bb279ead42263e9fb09480f02a4247b2c287d828",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
},
{
"lessThan": "7d42e097607c4d246d99225bf2b195b6167a210c",
"status": "affected",
"version": "d8cba25d2c68992a6e7c1d329b690a9ebe01167d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/intel/qat/qat_common/adf_aer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system\u0027s error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure\u0027s\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:01:16.054Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7"
},
{
"url": "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81"
},
{
"url": "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71"
},
{
"url": "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f"
},
{
"url": "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7"
},
{
"url": "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc"
},
{
"url": "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be"
},
{
"url": "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828"
},
{
"url": "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c"
}
],
"title": "crypto: qat - resolve race condition during AER recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26974",
"datePublished": "2024-05-01T05:20:14.163Z",
"dateReserved": "2024-02-19T14:20:24.203Z",
"dateUpdated": "2025-05-04T09:01:16.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36004 (GCVE-0-2024-36004)
Vulnerability from cvelistv5 – Published: 2024-05-20 09:48 – Updated: 2025-05-04 09:10
VLAI?
EPSS
Title
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
Issue reported by customer during SRIOV testing, call trace:
When both i40e and the i40iw driver are loaded, a warning
in check_flush_dependency is being triggered. This seems
to be because of the i40e driver workqueue is allocated with
the WQ_MEM_RECLAIM flag, and the i40iw one is not.
Similar error was encountered on ice too and it was fixed by
removing the flag. Do the same for i40e too.
[Feb 9 09:08] ------------[ cut here ]------------
[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is
flushing !WQ_MEM_RECLAIM infiniband:0x0
[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966
check_flush_dependency+0x10b/0x120
[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq
snd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4
nls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr
rfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma
intel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif
isst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal
intel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core
iTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore
ioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich
intel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad
xfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe
drm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel
libata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror
dm_region_hash dm_log dm_mod fuse
[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not
tainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1
[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS
SE5C620.86B.02.01.0013.121520200651 12/15/2020
[ +0.000001] Workqueue: i40e i40e_service_task [i40e]
[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120
[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48
81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd
ff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90
[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282
[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:
0000000000000027
[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:
ffff94d47f620bc0
[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:
00000000ffff7fff
[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:
ffff94c5451ea180
[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:
ffff94c5f1330ab0
[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)
knlGS:0000000000000000
[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:
00000000007706f0
[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ +0.000001] PKRU: 55555554
[ +0.000001] Call Trace:
[ +0.000001] <TASK>
[ +0.000002] ? __warn+0x80/0x130
[ +0.000003] ? check_flush_dependency+0x10b/0x120
[ +0.000002] ? report_bug+0x195/0x1a0
[ +0.000005] ? handle_bug+0x3c/0x70
[ +0.000003] ? exc_invalid_op+0x14/0x70
[ +0.000002] ? asm_exc_invalid_op+0x16/0x20
[ +0.000006] ? check_flush_dependency+0x10b/0x120
[ +0.000002] ? check_flush_dependency+0x10b/0x120
[ +0.000002] __flush_workqueue+0x126/0x3f0
[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]
[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]
[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]
[ +0.000020] i40iw_close+0x4b/0x90 [irdma]
[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]
[ +0.000035] i40e_service_task+0x126/0x190 [i40e]
[ +0.000024] process_one_work+0x174/0x340
[ +0.000003] worker_th
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4d5957cbdecdbb77d24c1465caadd801c07afa4a , < 09b54d29f05129b092f7c793a70b689ffb3c7b2c
(git)
Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < 546d0fe9d76e8229a67369f9cb61e961d99038bd (git) Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < fbbb2404340dd6178e281bd427c271f7d5ec1d22 (git) Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < ff7431f898dd00892a545b7d0ce7adf5b926944f (git) Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < 152ed360cf2d273f88fc99a518b7eb868aae2939 (git) Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < 8d6105f637883c8c09825e962308c06e977de4f0 (git) Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < 1594dac8b1ed78f9e75c263327e198a2e5e25b0e (git) Affected: 4d5957cbdecdbb77d24c1465caadd801c07afa4a , < 2cc7d150550cc981aceedf008f5459193282425c (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36004",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T17:00:59.391854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:48.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:30:12.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09b54d29f05129b092f7c793a70b689ffb3c7b2c",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "546d0fe9d76e8229a67369f9cb61e961d99038bd",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "fbbb2404340dd6178e281bd427c271f7d5ec1d22",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "ff7431f898dd00892a545b7d0ce7adf5b926944f",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "152ed360cf2d273f88fc99a518b7eb868aae2939",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "8d6105f637883c8c09825e962308c06e977de4f0",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "1594dac8b1ed78f9e75c263327e198a2e5e25b0e",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
},
{
"lessThan": "2cc7d150550cc981aceedf008f5459193282425c",
"status": "affected",
"version": "4d5957cbdecdbb77d24c1465caadd801c07afa4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.313",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.158",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.90",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.9",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff \u003c0f\u003e 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \u003cTASK\u003e\n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:10:19.743Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c"
},
{
"url": "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd"
},
{
"url": "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22"
},
{
"url": "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f"
},
{
"url": "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939"
},
{
"url": "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0"
},
{
"url": "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e"
},
{
"url": "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c"
}
],
"title": "i40e: Do not use WQ_MEM_RECLAIM flag for workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36004",
"datePublished": "2024-05-20T09:48:04.926Z",
"dateReserved": "2024-05-17T13:50:33.150Z",
"dateUpdated": "2025-05-04T09:10:19.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52667 (GCVE-0-2023-52667)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:01 – Updated: 2025-05-04 07:41
VLAI?
EPSS
Title
net/mlx5e: fix a potential double-free in fs_any_create_groups
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: fix a potential double-free in fs_any_create_groups
When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
fs_any_create_groups() will free ft->g. However, its caller
fs_any_create_table() will free ft->g again through calling
mlx5e_destroy_flow_table(), which will lead to a double-free.
Fix this by setting ft->g to NULL in fs_any_create_groups().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6 , < 72a729868592752b5a294d27453da264106983b1
(git)
Affected: 0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6 , < b2fa86b2aceb4bc9ada51cea90f61546d7512cbe (git) Affected: 0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6 , < 2897c981ee63e1be5e530b1042484626a10b26d8 (git) Affected: 0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6 , < 65a4ade8a6d205979292e88beeb6a626ddbd4779 (git) Affected: 0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6 , < aef855df7e1bbd5aa4484851561211500b22707e (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:34.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:42:12.540016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:50.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72a729868592752b5a294d27453da264106983b1",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
},
{
"lessThan": "b2fa86b2aceb4bc9ada51cea90f61546d7512cbe",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
},
{
"lessThan": "2897c981ee63e1be5e530b1042484626a10b26d8",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
},
{
"lessThan": "65a4ade8a6d205979292e88beeb6a626ddbd4779",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
},
{
"lessThan": "aef855df7e1bbd5aa4484851561211500b22707e",
"status": "affected",
"version": "0f575c20bf0686caf3d82d6c626c2e1e4a4c36e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft-\u003eg succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft-\u003eg. However, its caller\nfs_any_create_table() will free ft-\u003eg again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft-\u003eg to NULL in fs_any_create_groups()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:41:10.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1"
},
{
"url": "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe"
},
{
"url": "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8"
},
{
"url": "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779"
},
{
"url": "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e"
}
],
"title": "net/mlx5e: fix a potential double-free in fs_any_create_groups",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52667",
"datePublished": "2024-05-17T14:01:48.454Z",
"dateReserved": "2024-03-07T14:49:46.885Z",
"dateUpdated": "2025-05-04T07:41:10.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26656 (GCVE-0-2024-26656)
Vulnerability from cvelistv5 – Published: 2024-04-02 06:08 – Updated: 2025-11-03 19:29
VLAI?
EPSS
Title
drm/amdgpu: fix use-after-free bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix use-after-free bug
The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl
to the AMDGPU DRM driver on any ASICs with an invalid address and size.
The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.
For example the following code:
static void Syzkaller1(int fd)
{
struct drm_amdgpu_gem_userptr arg;
int ret;
arg.addr = 0xffffffffffff0000;
arg.size = 0x80000000; /*2 Gb*/
arg.flags = 0x7;
ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);
}
Due to the address and size are not valid there is a failure in
amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->
check_shl_overflow, but we even the amdgpu_hmm_register failure we still call
amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.
The following stack is below when the issue is reproduced when Kazan is enabled:
[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020
[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340
[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80
[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246
[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b
[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260
[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25
[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00
[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260
[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000
[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0
[ +0.000010] Call Trace:
[ +0.000006] <TASK>
[ +0.000007] ? show_regs+0x6a/0x80
[ +0.000018] ? __warn+0xa5/0x1b0
[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340
[ +0.000018] ? report_bug+0x24a/0x290
[ +0.000022] ? handle_bug+0x46/0x90
[ +0.000015] ? exc_invalid_op+0x19/0x50
[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20
[ +0.000017] ? kasan_save_stack+0x26/0x50
[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340
[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340
[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340
[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10
[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30
[ +0.000018] ? srso_return_thunk+0x5/0x5f
[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0
[ +0.000018] ? srso_return_thunk+0x5/0x5f
[ +0.000013] ? __kasan_check_read+0x11/0x20
[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]
[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]
[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]
[ +0.004291] ? do_syscall_64+0x5f/0xe0
[ +0.000023] ? srso_return_thunk+0x5/0x5f
[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]
[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]
[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]
[ +0.004270] ? srso_return_thunk+0x5/0x5f
[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20
[ +0.000015] ? srso_return_thunk+0x5/0x5f
[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0
[ +0.000020] ? srso_return_thunk+0x5/0x5f
[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]
[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]
[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]
[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]
[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]
[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 2e13f88e01ae7e28a7e831bf5c2409c4748e0a60
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < e87e08c94c9541b4e18c4c13f2f605935f512605 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < af054a5fb24a144f99895afce9519d709891894c (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 22f665ecfd1225afa1309ace623157d12bb9bb0c (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 22207fd5c80177b860279653d017474b2812af5e (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T14:54:50.822759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:23.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:29:28.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e13f88e01ae7e28a7e831bf5c2409c4748e0a60",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "e87e08c94c9541b4e18c4c13f2f605935f512605",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "af054a5fb24a144f99895afce9519d709891894c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "22f665ecfd1225afa1309ace623157d12bb9bb0c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "22207fd5c80177b860279653d017474b2812af5e",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung \u003cjoonkyoj@yonsei.ac.kr\u003e.\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, \u0026arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register-\u003emmu_interval_notifier_insert-\u003e__mmu_interval_notifier_insert-\u003e\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff \u003c0f\u003e 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \u003cTASK\u003e\n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:29.104Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e13f88e01ae7e28a7e831bf5c2409c4748e0a60"
},
{
"url": "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605"
},
{
"url": "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c"
},
{
"url": "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c"
},
{
"url": "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e"
}
],
"title": "drm/amdgpu: fix use-after-free bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26656",
"datePublished": "2024-04-02T06:08:43.558Z",
"dateReserved": "2024-02-19T14:20:24.145Z",
"dateUpdated": "2025-11-03T19:29:28.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-46909 (GCVE-0-2021-46909)
Vulnerability from cvelistv5 – Published: 2024-02-27 06:53 – Updated: 2025-05-04 07:00
VLAI?
EPSS
Title
ARM: footbridge: fix PCI interrupt mapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: footbridge: fix PCI interrupt mapping
Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in
pci_device_probe()"), the PCI code will call the IRQ mapping function
whenever a PCI driver is probed. If these are marked as __init, this
causes an oops if a PCI driver is loaded or bound after the kernel has
initialised.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
30fdfb929e82450bbf3d0e0aba56efbc29b52b52 , < 532747fd5c7aaa17ee5cf79f3e947c31eb0e35cf
(git)
Affected: 30fdfb929e82450bbf3d0e0aba56efbc29b52b52 , < 2643da6aa57920d9159a1a579fb04f89a2b0d29a (git) Affected: 30fdfb929e82450bbf3d0e0aba56efbc29b52b52 , < 871b569a3e67f570df9f5ba195444dc7c621293b (git) Affected: 30fdfb929e82450bbf3d0e0aba56efbc29b52b52 , < 1fc087fdb98d556b416c82ed6e3964a30885f47a (git) Affected: 30fdfb929e82450bbf3d0e0aba56efbc29b52b52 , < c3efce8cc9807339633ee30e39882f4c8626ee1d (git) Affected: 30fdfb929e82450bbf3d0e0aba56efbc29b52b52 , < 30e3b4f256b4e366a61658c294f6a21b8626dda7 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T22:33:27.334758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:15.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:17:42.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/532747fd5c7aaa17ee5cf79f3e947c31eb0e35cf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2643da6aa57920d9159a1a579fb04f89a2b0d29a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/871b569a3e67f570df9f5ba195444dc7c621293b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1fc087fdb98d556b416c82ed6e3964a30885f47a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c3efce8cc9807339633ee30e39882f4c8626ee1d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/30e3b4f256b4e366a61658c294f6a21b8626dda7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-footbridge/cats-pci.c",
"arch/arm/mach-footbridge/ebsa285-pci.c",
"arch/arm/mach-footbridge/netwinder-pci.c",
"arch/arm/mach-footbridge/personal-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "532747fd5c7aaa17ee5cf79f3e947c31eb0e35cf",
"status": "affected",
"version": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52",
"versionType": "git"
},
{
"lessThan": "2643da6aa57920d9159a1a579fb04f89a2b0d29a",
"status": "affected",
"version": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52",
"versionType": "git"
},
{
"lessThan": "871b569a3e67f570df9f5ba195444dc7c621293b",
"status": "affected",
"version": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52",
"versionType": "git"
},
{
"lessThan": "1fc087fdb98d556b416c82ed6e3964a30885f47a",
"status": "affected",
"version": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52",
"versionType": "git"
},
{
"lessThan": "c3efce8cc9807339633ee30e39882f4c8626ee1d",
"status": "affected",
"version": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52",
"versionType": "git"
},
{
"lessThan": "30e3b4f256b4e366a61658c294f6a21b8626dda7",
"status": "affected",
"version": "30fdfb929e82450bbf3d0e0aba56efbc29b52b52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-footbridge/cats-pci.c",
"arch/arm/mach-footbridge/ebsa285-pci.c",
"arch/arm/mach-footbridge/netwinder-pci.c",
"arch/arm/mach-footbridge/personal-pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.232",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.189",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.114",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.32",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: footbridge: fix PCI interrupt mapping\n\nSince commit 30fdfb929e82 (\"PCI: Add a call to pci_assign_irq() in\npci_device_probe()\"), the PCI code will call the IRQ mapping function\nwhenever a PCI driver is probed. If these are marked as __init, this\ncauses an oops if a PCI driver is loaded or bound after the kernel has\ninitialised."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:00:09.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/532747fd5c7aaa17ee5cf79f3e947c31eb0e35cf"
},
{
"url": "https://git.kernel.org/stable/c/2643da6aa57920d9159a1a579fb04f89a2b0d29a"
},
{
"url": "https://git.kernel.org/stable/c/871b569a3e67f570df9f5ba195444dc7c621293b"
},
{
"url": "https://git.kernel.org/stable/c/1fc087fdb98d556b416c82ed6e3964a30885f47a"
},
{
"url": "https://git.kernel.org/stable/c/c3efce8cc9807339633ee30e39882f4c8626ee1d"
},
{
"url": "https://git.kernel.org/stable/c/30e3b4f256b4e366a61658c294f6a21b8626dda7"
}
],
"title": "ARM: footbridge: fix PCI interrupt mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-46909",
"datePublished": "2024-02-27T06:53:50.181Z",
"dateReserved": "2024-02-25T13:45:52.718Z",
"dateUpdated": "2025-05-04T07:00:09.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35960 (GCVE-0-2024-35960)
Vulnerability from cvelistv5 – Published: 2024-05-20 09:41 – Updated: 2025-05-04 09:09
VLAI?
EPSS
Title
net/mlx5: Properly link new fs rules into the tree
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Properly link new fs rules into the tree
Previously, add_rule_fg would only add newly created rules from the
handle into the tree when they had a refcount of 1. On the other hand,
create_flow_handle tries hard to find and reference already existing
identical rules instead of creating new ones.
These two behaviors can result in a situation where create_flow_handle
1) creates a new rule and references it, then
2) in a subsequent step during the same handle creation references it
again,
resulting in a rule with a refcount of 2 that is not linked into the
tree, will have a NULL parent and root and will result in a crash when
the flow group is deleted because del_sw_hw_rule, invoked on rule
deletion, assumes node->parent is != NULL.
This happened in the wild, due to another bug related to incorrect
handling of duplicate pkt_reformat ids, which lead to the code in
create_flow_handle incorrectly referencing a just-added rule in the same
flow handle, resulting in the problem described above. Full details are
at [1].
This patch changes add_rule_fg to add new rules without parents into
the tree, properly initializing them and avoiding the crash. This makes
it more consistent with how rules are added to an FTE in
create_flow_handle.
Severity ?
9.1 (Critical)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
74491de937125d0c98c9b9c9208b4105717a3caa , < de0139719cdda82806a47580ca0df06fc85e0bd2
(git)
Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 1263b0b26077b1183c3c45a0a2479573a351d423 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 7aaee12b804c5e0374e7b132b6ec2158ff33dd64 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 2e8dc5cffc844dacfa79f056dea88002312f253f (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 5cf5337ef701830f173b4eec00a4f984adeb57a0 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < adf67a03af39095f05d82050f15813d6f700159d (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 7c6782ad4911cbee874e85630226ed389ff2e453 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "de0139719cdd",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "3d90ca9145f6",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "7aaee12b804c",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "2e8dc5cffc84",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5cf5337ef701",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "adf67a03af39",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "7c6782ad4911",
"status": "affected",
"version": "74491de93712",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "4.10"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "4.20",
"status": "unaffected",
"version": "4.19.313",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.11",
"status": "unaffected",
"version": "5.10.216",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "5.16",
"status": "unaffected",
"version": "5.15.156",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.2",
"status": "unaffected",
"version": "6.1.87",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "unaffected",
"version": "6.6.28",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.9",
"status": "unaffected",
"version": "6.8.7",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.9"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T21:09:41.022641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T21:09:59.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:49.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/fs_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de0139719cdda82806a47580ca0df06fc85e0bd2",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "1263b0b26077b1183c3c45a0a2479573a351d423",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "7aaee12b804c5e0374e7b132b6ec2158ff33dd64",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "2e8dc5cffc844dacfa79f056dea88002312f253f",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "5cf5337ef701830f173b4eec00a4f984adeb57a0",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "adf67a03af39095f05d82050f15813d6f700159d",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
},
{
"lessThan": "7c6782ad4911cbee874e85630226ed389ff2e453",
"status": "affected",
"version": "74491de937125d0c98c9b9c9208b4105717a3caa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/fs_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.313",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.156",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.87",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.28",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node-\u003eparent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:09:16.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2"
},
{
"url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423"
},
{
"url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801"
},
{
"url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64"
},
{
"url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f"
},
{
"url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0"
},
{
"url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d"
},
{
"url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453"
}
],
"title": "net/mlx5: Properly link new fs rules into the tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35960",
"datePublished": "2024-05-20T09:41:51.900Z",
"dateReserved": "2024-05-17T13:50:33.137Z",
"dateUpdated": "2025-05-04T09:09:16.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35959 (GCVE-0-2024-35959)
Vulnerability from cvelistv5 – Published: 2024-05-20 09:41 – Updated: 2025-05-04 09:09
VLAI?
EPSS
Title
net/mlx5e: Fix mlx5e_priv_init() cleanup flow
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix mlx5e_priv_init() cleanup flow
When mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which
calls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using
lockdep_is_held().
Acquire the state_lock in mlx5e_selq_cleanup().
Kernel log:
=============================
WARNING: suspicious RCU usage
6.8.0-rc3_net_next_841a9b5 #1 Not tainted
-----------------------------
drivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by systemd-modules/293:
#0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]
#1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]
stack backtrace:
CPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x8a/0xa0
lockdep_rcu_suspicious+0x154/0x1a0
mlx5e_selq_apply+0x94/0xa0 [mlx5_core]
mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]
mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]
mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]
rdma_init_netdev+0x4e/0x80 [ib_core]
? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]
ipoib_intf_init+0x64/0x550 [ib_ipoib]
ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]
ipoib_add_one+0xb0/0x360 [ib_ipoib]
add_client_context+0x112/0x1c0 [ib_core]
ib_register_client+0x166/0x1b0 [ib_core]
? 0xffffffffa0573000
ipoib_init_module+0xeb/0x1a0 [ib_ipoib]
do_one_initcall+0x61/0x250
do_init_module+0x8a/0x270
init_module_from_file+0x8b/0xd0
idempotent_init_module+0x17d/0x230
__x64_sys_finit_module+0x61/0xb0
do_syscall_64+0x71/0x140
entry_SYSCALL_64_after_hwframe+0x46/0x4e
</TASK>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8bf30be75069d6080659de9a28565c048f6cef9b , < ad26f26abd353113dea4e8d5ebadccdab9b61e76
(git)
Affected: 8bf30be75069d6080659de9a28565c048f6cef9b , < f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3 (git) Affected: 8bf30be75069d6080659de9a28565c048f6cef9b , < 6bd77865fda662913dcb5722a66a773840370aa7 (git) Affected: 8bf30be75069d6080659de9a28565c048f6cef9b , < ecb829459a841198e142f72fadab56424ae96519 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:49.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35959",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:40:38.972541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:14.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/selq.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad26f26abd353113dea4e8d5ebadccdab9b61e76",
"status": "affected",
"version": "8bf30be75069d6080659de9a28565c048f6cef9b",
"versionType": "git"
},
{
"lessThan": "f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3",
"status": "affected",
"version": "8bf30be75069d6080659de9a28565c048f6cef9b",
"versionType": "git"
},
{
"lessThan": "6bd77865fda662913dcb5722a66a773840370aa7",
"status": "affected",
"version": "8bf30be75069d6080659de9a28565c048f6cef9b",
"versionType": "git"
},
{
"lessThan": "ecb829459a841198e142f72fadab56424ae96519",
"status": "affected",
"version": "8bf30be75069d6080659de9a28565c048f6cef9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/selq.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.87",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.28",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv-\u003estate_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (\u0026device-\u003eclient_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:09:15.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76"
},
{
"url": "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3"
},
{
"url": "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7"
},
{
"url": "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519"
}
],
"title": "net/mlx5e: Fix mlx5e_priv_init() cleanup flow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35959",
"datePublished": "2024-05-20T09:41:51.244Z",
"dateReserved": "2024-05-17T13:50:33.137Z",
"dateUpdated": "2025-05-04T09:09:15.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26826 (GCVE-0-2024-26826)
Vulnerability from cvelistv5 – Published: 2024-04-17 09:43 – Updated: 2025-05-04 08:57
VLAI?
EPSS
Title
mptcp: fix data re-injection from stale subflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix data re-injection from stale subflow
When the MPTCP PM detects that a subflow is stale, all the packet
scheduler must re-inject all the mptcp-level unacked data. To avoid
acquiring unneeded locks, it first try to check if any unacked data
is present at all in the RTX queue, but such check is currently
broken, as it uses TCP-specific helper on an MPTCP socket.
Funnily enough fuzzers and static checkers are happy, as the accessed
memory still belongs to the mptcp_sock struct, and even from a
functional perspective the recovery completed successfully, as
the short-cut test always failed.
A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize
tcp_sock fast path variables") - exposed the issue, as the tcp field
reorganization makes the mptcp code always skip the re-inection.
Fix the issue dropping the bogus call: we are on a slow path, the early
optimization proved once again to be evil.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1e1d9d6f119c55c05e8ea78ed3e49046690abffd , < 6f95120f898b40d13fd441225ef511307853c9c2
(git)
Affected: 1e1d9d6f119c55c05e8ea78ed3e49046690abffd , < 6673d9f1c2cd984390550dbdf7d5ae07b20abbf8 (git) Affected: 1e1d9d6f119c55c05e8ea78ed3e49046690abffd , < b609c783c535493aa3fca22c7e40a120370b1ca5 (git) Affected: 1e1d9d6f119c55c05e8ea78ed3e49046690abffd , < 624902eab7abcb8731b333ec73f206d38d839cd8 (git) Affected: 1e1d9d6f119c55c05e8ea78ed3e49046690abffd , < b6c620dc43ccb4e802894e54b651cf81495e9598 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:49:00.883183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:30.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f95120f898b40d13fd441225ef511307853c9c2",
"status": "affected",
"version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
"versionType": "git"
},
{
"lessThan": "6673d9f1c2cd984390550dbdf7d5ae07b20abbf8",
"status": "affected",
"version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
"versionType": "git"
},
{
"lessThan": "b609c783c535493aa3fca22c7e40a120370b1ca5",
"status": "affected",
"version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
"versionType": "git"
},
{
"lessThan": "624902eab7abcb8731b333ec73f206d38d839cd8",
"status": "affected",
"version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
"versionType": "git"
},
{
"lessThan": "b6c620dc43ccb4e802894e54b651cf81495e9598",
"status": "affected",
"version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:57:24.333Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"
},
{
"url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"
},
{
"url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"
},
{
"url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"
},
{
"url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"
}
],
"title": "mptcp: fix data re-injection from stale subflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26826",
"datePublished": "2024-04-17T09:43:51.741Z",
"dateReserved": "2024-02-19T14:20:24.181Z",
"dateUpdated": "2025-05-04T08:57:24.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47311 (GCVE-0-2021-47311)
Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2025-05-04 07:08
VLAI?
EPSS
Title
net: qcom/emac: fix UAF in emac_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qcom/emac: fix UAF in emac_remove
adpt is netdev private data and it cannot be
used after free_netdev() call. Using adpt after free_netdev()
can cause UAF bug. Fix it by moving free_netdev() at the end of the
function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
54e19bc74f3380d414681762ceed9f7245bc6a6e , < 4d04a42b926e682140776e54188f4a44f1f01a81
(git)
Affected: 54e19bc74f3380d414681762ceed9f7245bc6a6e , < b1e091331920f8fbfc747dcbd16263fcd71abb2d (git) Affected: 54e19bc74f3380d414681762ceed9f7245bc6a6e , < 11e9d163d631198bb3eb41a677a61b499516c0f7 (git) Affected: 54e19bc74f3380d414681762ceed9f7245bc6a6e , < 2b70ca92847c619d6264c7372ef74fcbfd1e048c (git) Affected: 54e19bc74f3380d414681762ceed9f7245bc6a6e , < b560521eca03d0a2db6093a5a632cbdd0a0cf833 (git) Affected: 54e19bc74f3380d414681762ceed9f7245bc6a6e , < 8a225a6e07a57a1538d53637cb3d82bd3e477839 (git) Affected: 54e19bc74f3380d414681762ceed9f7245bc6a6e , < ad297cd2db8953e2202970e9504cab247b6c7cb4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:32:08.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4d04a42b926e682140776e54188f4a44f1f01a81"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b1e091331920f8fbfc747dcbd16263fcd71abb2d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/11e9d163d631198bb3eb41a677a61b499516c0f7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2b70ca92847c619d6264c7372ef74fcbfd1e048c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b560521eca03d0a2db6093a5a632cbdd0a0cf833"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8a225a6e07a57a1538d53637cb3d82bd3e477839"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ad297cd2db8953e2202970e9504cab247b6c7cb4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T18:50:38.591727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T18:50:45.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qualcomm/emac/emac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d04a42b926e682140776e54188f4a44f1f01a81",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
},
{
"lessThan": "b1e091331920f8fbfc747dcbd16263fcd71abb2d",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
},
{
"lessThan": "11e9d163d631198bb3eb41a677a61b499516c0f7",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
},
{
"lessThan": "2b70ca92847c619d6264c7372ef74fcbfd1e048c",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
},
{
"lessThan": "b560521eca03d0a2db6093a5a632cbdd0a0cf833",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
},
{
"lessThan": "8a225a6e07a57a1538d53637cb3d82bd3e477839",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
},
{
"lessThan": "ad297cd2db8953e2202970e9504cab247b6c7cb4",
"status": "affected",
"version": "54e19bc74f3380d414681762ceed9f7245bc6a6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qualcomm/emac/emac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.277",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.13.*",
"status": "unaffected",
"version": "5.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.277",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.241",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.199",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.135",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13.5",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.14",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qcom/emac: fix UAF in emac_remove\n\nadpt is netdev private data and it cannot be\nused after free_netdev() call. Using adpt after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:08:27.212Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d04a42b926e682140776e54188f4a44f1f01a81"
},
{
"url": "https://git.kernel.org/stable/c/b1e091331920f8fbfc747dcbd16263fcd71abb2d"
},
{
"url": "https://git.kernel.org/stable/c/11e9d163d631198bb3eb41a677a61b499516c0f7"
},
{
"url": "https://git.kernel.org/stable/c/2b70ca92847c619d6264c7372ef74fcbfd1e048c"
},
{
"url": "https://git.kernel.org/stable/c/b560521eca03d0a2db6093a5a632cbdd0a0cf833"
},
{
"url": "https://git.kernel.org/stable/c/8a225a6e07a57a1538d53637cb3d82bd3e477839"
},
{
"url": "https://git.kernel.org/stable/c/ad297cd2db8953e2202970e9504cab247b6c7cb4"
}
],
"title": "net: qcom/emac: fix UAF in emac_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47311",
"datePublished": "2024-05-21T14:35:29.304Z",
"dateReserved": "2024-05-21T14:28:16.973Z",
"dateUpdated": "2025-05-04T07:08:27.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26555 (GCVE-0-2020-26555)
Vulnerability from cvelistv5 – Published: 2021-05-24 17:41 – Updated: 2025-11-04 19:12
VLAI?
EPSS
Summary
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:12:16.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/799380"
},
{
"name": "FEDORA-2021-a35b44fd9f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSS6CTGE4UGTJLCOZOASDR3T3SLL6QJZ/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/799380"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T17:06:22.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.cert.org/vuls/id/799380"
},
{
"name": "FEDORA-2021-a35b44fd9f",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NSS6CTGE4UGTJLCOZOASDR3T3SLL6QJZ/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/",
"refsource": "MISC",
"url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/"
},
{
"name": "https://kb.cert.org/vuls/id/799380",
"refsource": "MISC",
"url": "https://kb.cert.org/vuls/id/799380"
},
{
"name": "FEDORA-2021-a35b44fd9f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NSS6CTGE4UGTJLCOZOASDR3T3SLL6QJZ/"
},
{
"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html",
"refsource": "CONFIRM",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00520.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26555",
"datePublished": "2021-05-24T17:41:15.000Z",
"dateReserved": "2020-10-04T00:00:00.000Z",
"dateUpdated": "2025-11-04T19:12:16.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52464 (GCVE-0-2023-52464)
Vulnerability from cvelistv5 – Published: 2024-02-23 14:46 – Updated: 2025-05-04 07:37
VLAI?
EPSS
Title
EDAC/thunderx: Fix possible out-of-bounds string access
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/thunderx: Fix possible out-of-bounds string access
Enabling -Wstringop-overflow globally exposes a warning for a common bug
in the usage of strncat():
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
...
1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
...
Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which uses the size of the destination buffer
as its third argument rather than the length of the source buffer. The
result is that there is no check on the size of the allocated buffer.
Change it to strlcat().
[ bp: Trim compiler output, fixup commit message. ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
41003396f932d7f027725c7acebb6a7caa41dc3e , < 71c17ee02538802ceafc830f0736aa35b564e601
(git)
Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < 5da3b6e7196f0b4f3728e4e25eb20233a9ddfaf6 (git) Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < 6aa7865ba7ff7f0ede0035180fb3b9400ceb405a (git) Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < 700cf4bead80fac994dcc43ae1ca5d86d8959b21 (git) Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < 9dbac9fdae6e3b411fc4c3fca3bf48f70609c398 (git) Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < e1c86511241588efffaa49556196f09a498d5057 (git) Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < 426fae93c01dffa379225eb2bd4d3cdc42c6eec5 (git) Affected: 41003396f932d7f027725c7acebb6a7caa41dc3e , < 475c58e1a471e9b873e3e39958c64a2d278275c8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-23T18:16:12.525994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:24:08.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:19.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/71c17ee02538802ceafc830f0736aa35b564e601"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5da3b6e7196f0b4f3728e4e25eb20233a9ddfaf6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6aa7865ba7ff7f0ede0035180fb3b9400ceb405a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/700cf4bead80fac994dcc43ae1ca5d86d8959b21"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9dbac9fdae6e3b411fc4c3fca3bf48f70609c398"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e1c86511241588efffaa49556196f09a498d5057"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/426fae93c01dffa379225eb2bd4d3cdc42c6eec5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/475c58e1a471e9b873e3e39958c64a2d278275c8"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/thunderx_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71c17ee02538802ceafc830f0736aa35b564e601",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "5da3b6e7196f0b4f3728e4e25eb20233a9ddfaf6",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "6aa7865ba7ff7f0ede0035180fb3b9400ceb405a",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "700cf4bead80fac994dcc43ae1ca5d86d8959b21",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "9dbac9fdae6e3b411fc4c3fca3bf48f70609c398",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "e1c86511241588efffaa49556196f09a498d5057",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "426fae93c01dffa379225eb2bd4d3cdc42c6eec5",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
},
{
"lessThan": "475c58e1a471e9b873e3e39958c64a2d278275c8",
"status": "affected",
"version": "41003396f932d7f027725c7acebb6a7caa41dc3e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/thunderx_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.268",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.306",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.268",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.209",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.148",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.75",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.14",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/thunderx: Fix possible out-of-bounds string access\n\nEnabling -Wstringop-overflow globally exposes a warning for a common bug\nin the usage of strncat():\n\n drivers/edac/thunderx_edac.c: In function \u0027thunderx_ocx_com_threaded_isr\u0027:\n drivers/edac/thunderx_edac.c:1136:17: error: \u0027strncat\u0027 specified bound 1024 equals destination size [-Werror=stringop-overflow=]\n 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n ...\n 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);\n ...\n 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);\n\n ...\n\nApparently the author of this driver expected strncat() to behave the\nway that strlcat() does, which uses the size of the destination buffer\nas its third argument rather than the length of the source buffer. The\nresult is that there is no check on the size of the allocated buffer.\n\nChange it to strlcat().\n\n [ bp: Trim compiler output, fixup commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:37:16.530Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71c17ee02538802ceafc830f0736aa35b564e601"
},
{
"url": "https://git.kernel.org/stable/c/5da3b6e7196f0b4f3728e4e25eb20233a9ddfaf6"
},
{
"url": "https://git.kernel.org/stable/c/6aa7865ba7ff7f0ede0035180fb3b9400ceb405a"
},
{
"url": "https://git.kernel.org/stable/c/700cf4bead80fac994dcc43ae1ca5d86d8959b21"
},
{
"url": "https://git.kernel.org/stable/c/9dbac9fdae6e3b411fc4c3fca3bf48f70609c398"
},
{
"url": "https://git.kernel.org/stable/c/e1c86511241588efffaa49556196f09a498d5057"
},
{
"url": "https://git.kernel.org/stable/c/426fae93c01dffa379225eb2bd4d3cdc42c6eec5"
},
{
"url": "https://git.kernel.org/stable/c/475c58e1a471e9b873e3e39958c64a2d278275c8"
}
],
"title": "EDAC/thunderx: Fix possible out-of-bounds string access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52464",
"datePublished": "2024-02-23T14:46:24.150Z",
"dateReserved": "2024-02-20T12:30:33.296Z",
"dateUpdated": "2025-05-04T07:37:16.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27397 (GCVE-0-2024-27397)
Vulnerability from cvelistv5 – Published: 2024-05-09 16:37 – Updated: 2025-11-03 21:54
VLAI?
EPSS
Title
netfilter: nf_tables: use timestamp to check for set element timeout
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: use timestamp to check for set element timeout
Add a timestamp field at the beginning of the transaction, store it
in the nftables per-netns area.
Update set backend .insert, .deactivate and sync gc path to use the
timestamp, this avoids that an element expires while control plane
transaction is still unfinished.
.lookup and .update, which are used from packet path, still use the
current time to check if the element has expired. And .get path and dump
also since this runs lockless under rcu read size lock. Then, there is
async gc which also needs to check the current time since it runs
asynchronously from a workqueue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c3e1b005ed1cc068fc9d454a6e745830d55d251d , < f8dfda798650241c1692058713ca4fef8e429061
(git)
Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe (git) Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < 7b17de2a71e56c10335b565cc7ad238e6d984379 (git) Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < 0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d (git) Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < b45176b869673417ace338b87cf9cdb66e2eeb01 (git) Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < 7fa2e2960fff8322ce2ded57b5f8e9cbc450b967 (git) Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < 383182db8d58c4237772ba0764cded4938a235c3 (git) Affected: c3e1b005ed1cc068fc9d454a6e745830d55d251d , < 7395dfacfff65e9938ac0889dafa1ab01e987d15 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27397",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:39:42.529200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:44:15.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:54:14.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_hash.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f8dfda798650241c1692058713ca4fef8e429061",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "7b17de2a71e56c10335b565cc7ad238e6d984379",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "b45176b869673417ace338b87cf9cdb66e2eeb01",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "7fa2e2960fff8322ce2ded57b5f8e9cbc450b967",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "383182db8d58c4237772ba0764cded4938a235c3",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
},
{
"lessThan": "7395dfacfff65e9938ac0889dafa1ab01e987d15",
"status": "affected",
"version": "c3e1b005ed1cc068fc9d454a6e745830d55d251d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_hash.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.282",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.224",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.320",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.282",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.224",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.165",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:04:07.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061"
},
{
"url": "https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe"
},
{
"url": "https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379"
},
{
"url": "https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d"
},
{
"url": "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01"
},
{
"url": "https://git.kernel.org/stable/c/7fa2e2960fff8322ce2ded57b5f8e9cbc450b967"
},
{
"url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3"
},
{
"url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15"
}
],
"title": "netfilter: nf_tables: use timestamp to check for set element timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-27397",
"datePublished": "2024-05-09T16:37:22.463Z",
"dateReserved": "2024-02-25T13:47:42.677Z",
"dateUpdated": "2025-11-03T21:54:14.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52878 (GCVE-0-2023-52878)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:32 – Updated: 2025-05-04 07:45
VLAI?
EPSS
Title
can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
If the "struct can_priv::echoo_skb" is accessed out of bounds, this
would cause a kernel crash. Instead, issue a meaningful warning
message and return with an error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a6e4bc5304033e434fabccabb230b8e9ff55d76f , < 826120c9ba68f2d0dbae58e99013929c883d1444
(git)
Affected: a6e4bc5304033e434fabccabb230b8e9ff55d76f , < 0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4 (git) Affected: a6e4bc5304033e434fabccabb230b8e9ff55d76f , < 53c468008a7c9ca3f5fc985951f35ec2acae85bc (git) Affected: a6e4bc5304033e434fabccabb230b8e9ff55d76f , < 8ab67da060157362b2e0926692c659808784708f (git) Affected: a6e4bc5304033e434fabccabb230b8e9ff55d76f , < 6411959c10fe917288cbb1038886999148560057 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T17:05:12.659416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:23:41.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/dev/skb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "826120c9ba68f2d0dbae58e99013929c883d1444",
"status": "affected",
"version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
"versionType": "git"
},
{
"lessThan": "0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4",
"status": "affected",
"version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
"versionType": "git"
},
{
"lessThan": "53c468008a7c9ca3f5fc985951f35ec2acae85bc",
"status": "affected",
"version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
"versionType": "git"
},
{
"lessThan": "8ab67da060157362b2e0926692c659808784708f",
"status": "affected",
"version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
"versionType": "git"
},
{
"lessThan": "6411959c10fe917288cbb1038886999148560057",
"status": "affected",
"version": "a6e4bc5304033e434fabccabb230b8e9ff55d76f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/dev/skb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.139",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.63",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.12",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: can_put_echo_skb(): don\u0027t crash kernel if can_priv::echo_skb is accessed out of bounds\n\nIf the \"struct can_priv::echoo_skb\" is accessed out of bounds, this\nwould cause a kernel crash. Instead, issue a meaningful warning\nmessage and return with an error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:45:00.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/826120c9ba68f2d0dbae58e99013929c883d1444"
},
{
"url": "https://git.kernel.org/stable/c/0d30931f1fa0fb893fb7d5dc32b6b7edfb775be4"
},
{
"url": "https://git.kernel.org/stable/c/53c468008a7c9ca3f5fc985951f35ec2acae85bc"
},
{
"url": "https://git.kernel.org/stable/c/8ab67da060157362b2e0926692c659808784708f"
},
{
"url": "https://git.kernel.org/stable/c/6411959c10fe917288cbb1038886999148560057"
}
],
"title": "can: dev: can_put_echo_skb(): don\u0027t crash kernel if can_priv::echo_skb is accessed out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52878",
"datePublished": "2024-05-21T15:32:10.616Z",
"dateReserved": "2024-05-21T15:19:24.264Z",
"dateUpdated": "2025-05-04T07:45:00.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52703 (GCVE-0-2023-52703)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:22 – Updated: 2025-05-04 07:41
VLAI?
EPSS
Title
net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
syzbot reported that act_len in kalmia_send_init_packet() is
uninitialized when passing it to the first usb_bulk_msg error path. Jiri
Pirko noted that it's pointless to pass it in the error path, and that
the value that would be printed in the second error path would be the
value of act_len from the first call to usb_bulk_msg.[1]
With this in mind, let's just not pass act_len to the usb_bulk_msg error
paths.
1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d40261236e8e278cb1936cb5e934262971692b10 , < 1b5de7d44890b78519acbcc80d8d1f23ff2872e5
(git)
Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 723ef7b66f37c0841f5a451ccbce47ee1641e081 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < a753352622b4f3c0219e0e9c73114b2848ae6042 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 525bdcb0838d19d918c7786151ee14661967a030 (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 338f826d3afead6e4df521f7972a4bef04a72efb (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < 02df3170c04a8356cd571ab9155a42f030190abc (git) Affected: d40261236e8e278cb1936cb5e934262971692b10 , < c68f345b7c425b38656e1791a0486769a8797016 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T17:57:22.463182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:41:20.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:35.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kalmia.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b5de7d44890b78519acbcc80d8d1f23ff2872e5",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "723ef7b66f37c0841f5a451ccbce47ee1641e081",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "a753352622b4f3c0219e0e9c73114b2848ae6042",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "525bdcb0838d19d918c7786151ee14661967a030",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "338f826d3afead6e4df521f7972a4bef04a72efb",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "02df3170c04a8356cd571ab9155a42f030190abc",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
},
{
"lessThan": "c68f345b7c425b38656e1791a0486769a8797016",
"status": "affected",
"version": "d40261236e8e278cb1936cb5e934262971692b10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/kalmia.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.169",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.95",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.13",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don\u0027t pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it\u0027s pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let\u0027s just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:41:57.543Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5"
},
{
"url": "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081"
},
{
"url": "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042"
},
{
"url": "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030"
},
{
"url": "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb"
},
{
"url": "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc"
},
{
"url": "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016"
}
],
"title": "net/usb: kalmia: Don\u0027t pass act_len in usb_bulk_msg error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52703",
"datePublished": "2024-05-21T15:22:52.687Z",
"dateReserved": "2024-03-07T14:49:46.891Z",
"dateUpdated": "2025-05-04T07:41:57.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46972 (GCVE-0-2021-46972)
Vulnerability from cvelistv5 – Published: 2024-02-27 18:47 – Updated: 2025-05-04 07:01
VLAI?
EPSS
Title
ovl: fix leaked dentry
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix leaked dentry
Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in
ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a
metacopy error, which leads to dentry leaks when shutting down the related
superblock:
overlayfs: refusing to follow metacopy origin for (/file0)
...
BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay]
...
WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d
CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1
...
RIP: 0010:umount_check.cold+0x107/0x14d
...
Call Trace:
d_walk+0x28c/0x950
? dentry_lru_isolate+0x2b0/0x2b0
? __kasan_slab_free+0x12/0x20
do_one_tree+0x33/0x60
shrink_dcache_for_umount+0x78/0x1d0
generic_shutdown_super+0x70/0x440
kill_anon_super+0x3e/0x70
deactivate_locked_super+0xc4/0x160
deactivate_super+0xfa/0x140
cleanup_mnt+0x22e/0x370
__cleanup_mnt+0x1a/0x30
task_work_run+0x139/0x210
do_exit+0xb0c/0x2820
? __kasan_check_read+0x1d/0x30
? find_held_lock+0x35/0x160
? lock_release+0x1b6/0x660
? mm_update_next_owner+0xa20/0xa20
? reacquire_held_locks+0x3f0/0x3f0
? __sanitizer_cov_trace_const_cmp4+0x22/0x30
do_group_exit+0x135/0x380
__do_sys_exit_group.isra.0+0x20/0x20
__x64_sys_exit_group+0x3c/0x50
do_syscall_64+0x45/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xae
...
VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...
This fix has been tested with a syzkaller reproducer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6815f479ca90ee7fd2e28b2a420f796b974155fe , < 71d58457a8afc650da5d3292a7f7029317654d95
(git)
Affected: 6815f479ca90ee7fd2e28b2a420f796b974155fe , < cf3e3330bc5719fa9d658e3e2f596bde89344a94 (git) Affected: 6815f479ca90ee7fd2e28b2a420f796b974155fe , < d587cfaef72b1b6f4b2774827123bce91f497cc8 (git) Affected: 6815f479ca90ee7fd2e28b2a420f796b974155fe , < eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-28T17:00:35.229463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T17:00:43.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:17:42.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/71d58457a8afc650da5d3292a7f7029317654d95"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf3e3330bc5719fa9d658e3e2f596bde89344a94"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d587cfaef72b1b6f4b2774827123bce91f497cc8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d58457a8afc650da5d3292a7f7029317654d95",
"status": "affected",
"version": "6815f479ca90ee7fd2e28b2a420f796b974155fe",
"versionType": "git"
},
{
"lessThan": "cf3e3330bc5719fa9d658e3e2f596bde89344a94",
"status": "affected",
"version": "6815f479ca90ee7fd2e28b2a420f796b974155fe",
"versionType": "git"
},
{
"lessThan": "d587cfaef72b1b6f4b2774827123bce91f497cc8",
"status": "affected",
"version": "6815f479ca90ee7fd2e28b2a420f796b974155fe",
"versionType": "git"
},
{
"lessThan": "eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41",
"status": "affected",
"version": "6815f479ca90ee7fd2e28b2a420f796b974155fe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.35",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.19",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix leaked dentry\n\nSince commit 6815f479ca90 (\"ovl: use only uppermetacopy state in\novl_lookup()\"), overlayfs doesn\u0027t put temporary dentry when there is a\nmetacopy error, which leads to dentry leaks when shutting down the related\nsuperblock:\n\n overlayfs: refusing to follow metacopy origin for (/file0)\n ...\n BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay]\n ...\n WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d\n CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1\n ...\n RIP: 0010:umount_check.cold+0x107/0x14d\n ...\n Call Trace:\n d_walk+0x28c/0x950\n ? dentry_lru_isolate+0x2b0/0x2b0\n ? __kasan_slab_free+0x12/0x20\n do_one_tree+0x33/0x60\n shrink_dcache_for_umount+0x78/0x1d0\n generic_shutdown_super+0x70/0x440\n kill_anon_super+0x3e/0x70\n deactivate_locked_super+0xc4/0x160\n deactivate_super+0xfa/0x140\n cleanup_mnt+0x22e/0x370\n __cleanup_mnt+0x1a/0x30\n task_work_run+0x139/0x210\n do_exit+0xb0c/0x2820\n ? __kasan_check_read+0x1d/0x30\n ? find_held_lock+0x35/0x160\n ? lock_release+0x1b6/0x660\n ? mm_update_next_owner+0xa20/0xa20\n ? reacquire_held_locks+0x3f0/0x3f0\n ? __sanitizer_cov_trace_const_cmp4+0x22/0x30\n do_group_exit+0x135/0x380\n __do_sys_exit_group.isra.0+0x20/0x20\n __x64_sys_exit_group+0x3c/0x50\n do_syscall_64+0x45/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n ...\n VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...\n\nThis fix has been tested with a syzkaller reproducer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:01:26.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d58457a8afc650da5d3292a7f7029317654d95"
},
{
"url": "https://git.kernel.org/stable/c/cf3e3330bc5719fa9d658e3e2f596bde89344a94"
},
{
"url": "https://git.kernel.org/stable/c/d587cfaef72b1b6f4b2774827123bce91f497cc8"
},
{
"url": "https://git.kernel.org/stable/c/eaab1d45cdb4bb0c846bd23c3d666d5b90af7b41"
}
],
"title": "ovl: fix leaked dentry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-46972",
"datePublished": "2024-02-27T18:47:07.276Z",
"dateReserved": "2024-02-27T18:42:55.943Z",
"dateUpdated": "2025-05-04T07:01:26.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52835 (GCVE-0-2023-52835)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:31 – Updated: 2026-01-05 10:17
VLAI?
EPSS
Title
perf/core: Bail out early if the request AUX area is out of bound
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Bail out early if the request AUX area is out of bound
When perf-record with a large AUX area, e.g 4GB, it fails with:
#perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1
failed to mmap with 12 (Cannot allocate memory)
and it reveals a WARNING with __alloc_pages():
------------[ cut here ]------------
WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248
Call trace:
__alloc_pages+0x1ec/0x248
__kmalloc_large_node+0xc0/0x1f8
__kmalloc_node+0x134/0x1e8
rb_alloc_aux+0xe0/0x298
perf_mmap+0x440/0x660
mmap_region+0x308/0x8a8
do_mmap+0x3c0/0x528
vm_mmap_pgoff+0xf4/0x1b8
ksys_mmap_pgoff+0x18c/0x218
__arm64_sys_mmap+0x38/0x58
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0x58/0x188
do_el0_svc+0x34/0x50
el0_svc+0x34/0x108
el0t_64_sync_handler+0xb8/0xc0
el0t_64_sync+0x1a4/0x1a8
'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to
maintains AUX trace pages. The allocated page for this array is physically
contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the
size of pointer array crosses the limitation set by MAX_ORDER, it reveals a
WARNING.
So bail out early with -ENOMEM if the request AUX area is out of bound,
e.g.:
#perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1
failed to mmap with 12 (Cannot allocate memory)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 8c504f615d7ed60ae035c51d0c789137ced6797f
(git)
Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 788c0b3442ead737008934947730a6d1ff703734 (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 1a2a4202c60fcdffbf04f259002ce9bff39edece (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < fd0df3f8719201dbe61a4d39083d5aecd705399a (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 9ce4e87a8efd37c85766ec08b15e885cab08553a (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 2424410f94a94d91230ced094062d859714c984a (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 2e905e608e38cf7f8dcddcf8a6036e91a78444cb (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 54aee5f15b83437f23b2b2469bcf21bdd9823916 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:36.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:36:37.546418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:54.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c504f615d7ed60ae035c51d0c789137ced6797f",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "788c0b3442ead737008934947730a6d1ff703734",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "1a2a4202c60fcdffbf04f259002ce9bff39edece",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "fd0df3f8719201dbe61a4d39083d5aecd705399a",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "9ce4e87a8efd37c85766ec08b15e885cab08553a",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "2424410f94a94d91230ced094062d859714c984a",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "2e905e608e38cf7f8dcddcf8a6036e91a78444cb",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "54aee5f15b83437f23b2b2469bcf21bdd9823916",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/ring_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.300",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.262",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.202",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.140",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.64",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.13",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Bail out early if the request AUX area is out of bound\n\nWhen perf-record with a large AUX area, e.g 4GB, it fails with:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)\n\nand it reveals a WARNING with __alloc_pages():\n\n\t------------[ cut here ]------------\n\tWARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248\n\tCall trace:\n\t __alloc_pages+0x1ec/0x248\n\t __kmalloc_large_node+0xc0/0x1f8\n\t __kmalloc_node+0x134/0x1e8\n\t rb_alloc_aux+0xe0/0x298\n\t perf_mmap+0x440/0x660\n\t mmap_region+0x308/0x8a8\n\t do_mmap+0x3c0/0x528\n\t vm_mmap_pgoff+0xf4/0x1b8\n\t ksys_mmap_pgoff+0x18c/0x218\n\t __arm64_sys_mmap+0x38/0x58\n\t invoke_syscall+0x50/0x128\n\t el0_svc_common.constprop.0+0x58/0x188\n\t do_el0_svc+0x34/0x50\n\t el0_svc+0x34/0x108\n\t el0t_64_sync_handler+0xb8/0xc0\n\t el0t_64_sync+0x1a4/0x1a8\n\n\u0027rb-\u003eaux_pages\u0027 allocated by kcalloc() is a pointer array which is used to\nmaintains AUX trace pages. The allocated page for this array is physically\ncontiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the\nsize of pointer array crosses the limitation set by MAX_ORDER, it reveals a\nWARNING.\n\nSo bail out early with -ENOMEM if the request AUX area is out of bound,\ne.g.:\n\n #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1\n failed to mmap with 12 (Cannot allocate memory)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:17:48.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f"
},
{
"url": "https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734"
},
{
"url": "https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece"
},
{
"url": "https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a"
},
{
"url": "https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a"
},
{
"url": "https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a"
},
{
"url": "https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb"
},
{
"url": "https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916"
}
],
"title": "perf/core: Bail out early if the request AUX area is out of bound",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52835",
"datePublished": "2024-05-21T15:31:36.239Z",
"dateReserved": "2024-05-21T15:19:24.252Z",
"dateUpdated": "2026-01-05T10:17:48.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52781 (GCVE-0-2023-52781)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:31 – Updated: 2025-05-04 12:49
VLAI?
EPSS
Title
usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
The BOS descriptor defines a root descriptor and is the base descriptor for
accessing a family of related descriptors.
Function 'usb_get_bos_descriptor()' encounters an iteration issue when
skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in
the same descriptor being read repeatedly.
To address this issue, a 'goto' statement is introduced to ensure that the
pointer and the amount read is updated correctly. This ensures that the
function iterates to the next descriptor instead of reading the same
descriptor repeatedly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3dd550a2d36596a1b0ee7955da3b611c031d3873 , < 9ef94ec8e52eaf7b9abc5b5f8f5b911751112223
(git)
Affected: 3dd550a2d36596a1b0ee7955da3b611c031d3873 , < 64c27b7b2357ddb38b6afebaf46d5bff4d250702 (git) Affected: 3dd550a2d36596a1b0ee7955da3b611c031d3873 , < f89fef7710b2ba0f7a1e46594e530dcf2f77be91 (git) Affected: 3dd550a2d36596a1b0ee7955da3b611c031d3873 , < 7c0244cc311a4038505b73682b7c8ceaa5c7a8c8 (git) Affected: 3dd550a2d36596a1b0ee7955da3b611c031d3873 , < 974bba5c118f4c2baf00de0356e3e4f7928b4cbc (git) Affected: 77ce180d68beffd1af620d0121590e16683fc6b8 (git) Affected: 20a07e1aadcd6990893c532d1b2b507bfa065152 (git) Affected: a5c051b6503c0ba543e993cfc295b64f096e0a29 (git) Affected: ea4a173d8358b756a780786baa3fc39d282bdbe3 (git) Affected: 77d4e2a058858b4a94fc469bc1bfc94a0958e252 (git) Affected: 1fc15d29540a69cfb55c8b8f8c38f1af33178243 (git) Affected: 9f8dd40c68c176f2c3f1fc8b87bc81756856938f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T17:27:41.275139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:22:33.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:35.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/core/config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ef94ec8e52eaf7b9abc5b5f8f5b911751112223",
"status": "affected",
"version": "3dd550a2d36596a1b0ee7955da3b611c031d3873",
"versionType": "git"
},
{
"lessThan": "64c27b7b2357ddb38b6afebaf46d5bff4d250702",
"status": "affected",
"version": "3dd550a2d36596a1b0ee7955da3b611c031d3873",
"versionType": "git"
},
{
"lessThan": "f89fef7710b2ba0f7a1e46594e530dcf2f77be91",
"status": "affected",
"version": "3dd550a2d36596a1b0ee7955da3b611c031d3873",
"versionType": "git"
},
{
"lessThan": "7c0244cc311a4038505b73682b7c8ceaa5c7a8c8",
"status": "affected",
"version": "3dd550a2d36596a1b0ee7955da3b611c031d3873",
"versionType": "git"
},
{
"lessThan": "974bba5c118f4c2baf00de0356e3e4f7928b4cbc",
"status": "affected",
"version": "3dd550a2d36596a1b0ee7955da3b611c031d3873",
"versionType": "git"
},
{
"status": "affected",
"version": "77ce180d68beffd1af620d0121590e16683fc6b8",
"versionType": "git"
},
{
"status": "affected",
"version": "20a07e1aadcd6990893c532d1b2b507bfa065152",
"versionType": "git"
},
{
"status": "affected",
"version": "a5c051b6503c0ba543e993cfc295b64f096e0a29",
"versionType": "git"
},
{
"status": "affected",
"version": "ea4a173d8358b756a780786baa3fc39d282bdbe3",
"versionType": "git"
},
{
"status": "affected",
"version": "77d4e2a058858b4a94fc469bc1bfc94a0958e252",
"versionType": "git"
},
{
"status": "affected",
"version": "1fc15d29540a69cfb55c8b8f8c38f1af33178243",
"versionType": "git"
},
{
"status": "affected",
"version": "9f8dd40c68c176f2c3f1fc8b87bc81756856938f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/core/config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.203",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.142",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.66",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in \u0027usb_get_bos_descriptor()\u0027\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction \u0027usb_get_bos_descriptor()\u0027 encounters an iteration issue when\nskipping the \u0027USB_DT_DEVICE_CAPABILITY\u0027 descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a \u0027goto\u0027 statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:36.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223"
},
{
"url": "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702"
},
{
"url": "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91"
},
{
"url": "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8"
},
{
"url": "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc"
}
],
"title": "usb: config: fix iteration issue in \u0027usb_get_bos_descriptor()\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52781",
"datePublished": "2024-05-21T15:31:00.242Z",
"dateReserved": "2024-05-21T15:19:24.240Z",
"dateUpdated": "2025-05-04T12:49:36.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26801 (GCVE-0-2024-26801)
Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2025-05-04 08:56
VLAI?
EPSS
Title
Bluetooth: Avoid potential use-after-free in hci_error_reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Avoid potential use-after-free in hci_error_reset
While handling the HCI_EV_HARDWARE_ERROR event, if the underlying
BT controller is not responding, the GPIO reset mechanism would
free the hci_dev and lead to a use-after-free in hci_error_reset.
Here's the call trace observed on a ChromeOS device with Intel AX201:
queue_work_on+0x3e/0x6c
__hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]
? init_wait_entry+0x31/0x31
__hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]
hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]
process_one_work+0x1d8/0x33f
worker_thread+0x21b/0x373
kthread+0x13a/0x152
? pr_cont_work+0x54/0x54
? kthread_blkcg+0x31/0x31
ret_from_fork+0x1f/0x30
This patch holds the reference count on the hci_dev while processing
a HCI_EV_HARDWARE_ERROR event to avoid potential crash.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < e0b278650f07acf2e0932149183458468a731c03
(git)
Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 98fb98fd37e42fd4ce13ff657ea64503e24b6090 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < da4569d450b193e39e87119fd316c0291b585d14 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 45085686b9559bfbe3a4f41d3d695a520668f5e1 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 2ab9a19d896f5a0dd386e1f001c5309bc35f433b (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < dd594cdc24f2e48dab441732e6dfcafd6b0711d1 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 2449007d3f73b2842c9734f45f0aadb522daf592 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-15T19:27:12.303916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T19:27:19.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e0b278650f07acf2e0932149183458468a731c03",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "98fb98fd37e42fd4ce13ff657ea64503e24b6090",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "da4569d450b193e39e87119fd316c0291b585d14",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "45085686b9559bfbe3a4f41d3d695a520668f5e1",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "2ab9a19d896f5a0dd386e1f001c5309bc35f433b",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "dd594cdc24f2e48dab441732e6dfcafd6b0711d1",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
},
{
"lessThan": "2449007d3f73b2842c9734f45f0aadb522daf592",
"status": "affected",
"version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.309",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.271",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.309",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.271",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.212",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.151",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.81",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.21",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere\u0027s the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth \u003cHASH:3b4a6\u003e]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth \u003cHASH:3b4a 6\u003e]\n hci_error_reset+0x4f/0xa4 [bluetooth \u003cHASH:3b4a 6\u003e]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:56:52.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
},
{
"url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
},
{
"url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
},
{
"url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
},
{
"url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
},
{
"url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
},
{
"url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
},
{
"url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
}
],
"title": "Bluetooth: Avoid potential use-after-free in hci_error_reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26801",
"datePublished": "2024-04-04T08:20:29.211Z",
"dateReserved": "2024-02-19T14:20:24.179Z",
"dateUpdated": "2025-05-04T08:56:52.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52881 (GCVE-0-2023-52881)
Vulnerability from cvelistv5 – Published: 2024-05-29 10:15 – Updated: 2025-05-04 12:49
VLAI?
EPSS
Title
tcp: do not accept ACK of bytes we never sent
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: do not accept ACK of bytes we never sent
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 69eae75ca5255e876628ac5cee9eaab31f644b57
(git)
Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 458f07ffeccd17f99942311e09ef574ddf4a414a (git) Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 7ffff0cc929fdfc62a74b384c4903d6496c910f0 (git) Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < b17a886ed29f3b70b78ccf632dad03e0c69e3c1a (git) Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 0d4e0afdd6658cd21dd5be61880411a2553fd1fc (git) Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 008b807fe487e0b15a3a6c39add4eb477f73e440 (git) Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 2087d53a66e97a5eb5d1bf558d5bef9e5f891757 (git) Affected: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 , < 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 (git) Affected: 8d15569e14cfcf9151e9e3b4c0cb98369943a2bb (git) Affected: e252bbd8c87b95e9cecdc01350fbb0b46a0f9bf1 (git) Affected: 2ee4432e82437a7c051c254b065fbf5d4581e1a3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T16:46:40.495686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T15:11:03.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69eae75ca5255e876628ac5cee9eaab31f644b57",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "458f07ffeccd17f99942311e09ef574ddf4a414a",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "7ffff0cc929fdfc62a74b384c4903d6496c910f0",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "b17a886ed29f3b70b78ccf632dad03e0c69e3c1a",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "0d4e0afdd6658cd21dd5be61880411a2553fd1fc",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "008b807fe487e0b15a3a6c39add4eb477f73e440",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "2087d53a66e97a5eb5d1bf558d5bef9e5f891757",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"status": "affected",
"version": "8d15569e14cfcf9151e9e3b4c0cb98369943a2bb",
"versionType": "git"
},
{
"status": "affected",
"version": "e252bbd8c87b95e9cecdc01350fbb0b46a0f9bf1",
"versionType": "git"
},
{
"status": "affected",
"version": "2ee4432e82437a7c051c254b065fbf5d4581e1a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.333",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.333",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.302",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.264",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.143",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) \u003c= SEG.ACK \u003c=\n SND.NXT). All incoming segments whose ACK value doesn\u0027t satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK \u003c SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK \u003e SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK \u003c SND.UNA wouldn\u0027t be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) \u003c= SEG.ACK \u003c= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the \u0027blamed\u0027 patch was adhering to the RFC.\n\ntp-\u003ebytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 \u003c S 0:0(0) win 65535 \u003cmss 1400,nop,wscale 14\u003e\n+0 \u003e S. 0:0(0) ack 1 \u003c...\u003e\n+0 \u003c . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 \u003c . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 \u003e . 1:1(0) ack 1001"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:46.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57"
},
{
"url": "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a"
},
{
"url": "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0"
},
{
"url": "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a"
},
{
"url": "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc"
},
{
"url": "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440"
},
{
"url": "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757"
},
{
"url": "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27"
}
],
"title": "tcp: do not accept ACK of bytes we never sent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52881",
"datePublished": "2024-05-29T10:15:14.186Z",
"dateReserved": "2024-05-21T15:35:00.781Z",
"dateUpdated": "2025-05-04T12:49:46.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26804 (GCVE-0-2024-26804)
Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2025-05-04 12:54
VLAI?
EPSS
Title
net: ip_tunnel: prevent perpetual headroom growth
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ip_tunnel: prevent perpetual headroom growth
syzkaller triggered following kasan splat:
BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191
[..]
kasan_report+0xda/0x110 mm/kasan/report.c:588
__skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170
skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]
___skb_get_hash net/core/flow_dissector.c:1791 [inline]
__skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856
skb_get_hash include/linux/skbuff.h:1556 [inline]
ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748
ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564
__dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592
...
ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235
ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
..
iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831
ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564
...
The splat occurs because skb->data points past skb->head allocated area.
This is because neigh layer does:
__skb_pull(skb, skb_network_offset(skb));
... but skb_network_offset() returns a negative offset and __skb_pull()
arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value.
The negative value is returned because skb->head and skb->data distance is
more than 64k and skb->network_header (u16) has wrapped around.
The bug is in the ip_tunnel infrastructure, which can cause
dev->needed_headroom to increment ad infinitum.
The syzkaller reproducer consists of packets getting routed via a gre
tunnel, and route of gre encapsulated packets pointing at another (ipip)
tunnel. The ipip encapsulation finds gre0 as next output device.
This results in the following pattern:
1). First packet is to be sent out via gre0.
Route lookup found an output device, ipip0.
2).
ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future
output device, rt.dev->needed_headroom (ipip0).
3).
ip output / start_xmit moves skb on to ipip0. which runs the same
code path again (xmit recursion).
4).
Routing step for the post-gre0-encap packet finds gre0 as output device
to use for ipip0 encapsulated packet.
tunl0->needed_headroom is then incremented based on the (already bumped)
gre0 device headroom.
This repeats for every future packet:
gre0->needed_headroom gets inflated because previous packets' ipip0 step
incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0
needed_headroom was increased.
For each subsequent packet, gre/ipip0->needed_headroom grows until
post-expand-head reallocations result in a skb->head/data distance of
more than 64k.
Once that happens, skb->network_header (u16) wraps around when
pskb_expand_head tries to make sure that skb_network_offset() is unchanged
after the headroom expansion/reallocation.
After this skb_network_offset(skb) returns a different (and negative)
result post headroom expansion.
The next trip to neigh layer (or anything else that would __skb_pull the
network header) makes skb->data point to a memory location outside
skb->head area.
v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to
prevent perpetual increase instead of dropping the headroom increment
completely.
Severity ?
5.3 (Medium)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
243aad830e8a4cdda261626fbaeddde16b08d04a , < f81e94d2dcd2397137edcb8b85f4c5bed5d22383
(git)
Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < 2e95350fe9db9d53c701075060ac8ac883b68aee (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < afec0c5cd2ed71ca95a8b36a5e6d03333bf34282 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < ab63de24ebea36fe73ac7121738595d704b66d96 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < 049d7989c67e8dd50f07a2096dbafdb41331fb9b (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < 5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f (git) Affected: 03017375b0122453e6dda833ff7bd4191915def5 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:26:17.359512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:40:15.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f81e94d2dcd2397137edcb8b85f4c5bed5d22383",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"lessThan": "2e95350fe9db9d53c701075060ac8ac883b68aee",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"lessThan": "afec0c5cd2ed71ca95a8b36a5e6d03333bf34282",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"lessThan": "ab63de24ebea36fe73ac7121738595d704b66d96",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"lessThan": "a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"lessThan": "049d7989c67e8dd50f07a2096dbafdb41331fb9b",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"lessThan": "5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f",
"status": "affected",
"version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
"versionType": "git"
},
{
"status": "affected",
"version": "03017375b0122453e6dda833ff7bd4191915def5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.271",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.271",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.212",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.151",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.81",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.21",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.9",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb-\u003edata points past skb-\u003ehead allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb-\u003edata gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb-\u003ehead and skb-\u003edata distance is\nmore than 64k and skb-\u003enetwork_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev-\u003eneeded_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0-\u003eneeded_headroom based on the future\noutput device, rt.dev-\u003eneeded_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0-\u003eneeded_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0-\u003eneeded_headroom gets inflated because previous packets\u0027 ipip0 step\nincremented rt-\u003edev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0-\u003eneeded_headroom grows until\npost-expand-head reallocations result in a skb-\u003ehead/data distance of\nmore than 64k.\n\nOnce that happens, skb-\u003enetwork_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb-\u003edata point to a memory location outside\nskb-\u003ehead area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:54:46.707Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383"
},
{
"url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee"
},
{
"url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282"
},
{
"url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96"
},
{
"url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9"
},
{
"url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b"
},
{
"url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f"
}
],
"title": "net: ip_tunnel: prevent perpetual headroom growth",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26804",
"datePublished": "2024-04-04T08:20:31.305Z",
"dateReserved": "2024-02-19T14:20:24.179Z",
"dateUpdated": "2025-05-04T12:54:46.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52813 (GCVE-0-2023-52813)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:31 – Updated: 2025-07-15 15:43
VLAI?
EPSS
Title
crypto: pcrypt - Fix hungtask for PADATA_RESET
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Fix hungtask for PADATA_RESET
We found a hungtask bug in test_aead_vec_cfg as follows:
INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call trace:
__switch_to+0x98/0xe0
__schedule+0x6c4/0xf40
schedule+0xd8/0x1b4
schedule_timeout+0x474/0x560
wait_for_common+0x368/0x4e0
wait_for_completion+0x20/0x30
wait_for_completion+0x20/0x30
test_aead_vec_cfg+0xab4/0xd50
test_aead+0x144/0x1f0
alg_test_aead+0xd8/0x1e0
alg_test+0x634/0x890
cryptomgr_test+0x40/0x70
kthread+0x1e0/0x220
ret_from_fork+0x10/0x18
Kernel panic - not syncing: hung_task: blocked tasks
For padata_do_parallel, when the return err is 0 or -EBUSY, it will call
wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal
case, aead_request_complete() will be called in pcrypt_aead_serial and the
return err is 0 for padata_do_parallel. But, when pinst->flags is
PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it
won't call aead_request_complete(). Therefore, test_aead_vec_cfg will
hung at wait_for_completion(&wait->completion), which will cause
hungtask.
The problem comes as following:
(padata_do_parallel) |
rcu_read_lock_bh(); |
err = -EINVAL; | (padata_replace)
| pinst->flags |= PADATA_RESET;
err = -EBUSY |
if (pinst->flags & PADATA_RESET) |
rcu_read_unlock_bh() |
return err
In order to resolve the problem, we replace the return err -EBUSY with
-EAGAIN, which means parallel_data is changing, and the caller should call
it again.
v3:
remove retry and just change the return err.
v2:
introduce padata_try_do_parallel() in pcrypt_aead_encrypt and
pcrypt_aead_decrypt to solve the hungtask.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
16295bec6398a3eedc9377e1af6ff4c71b98c300 , < fb2d3a50a8f29a3c66682bb426144f40e32ab818
(git)
Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < 039fec48e062504f14845124a1a25eb199b2ddc0 (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < c9c1334697301c10e6918d747ed38abfbc0c96e7 (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < e97bf4ada7dddacd184c3e196bd063b0dc71b41d (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < 546c1796ad1ed0d87dab3c4b5156d75819be2316 (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < c55fc098fd9d2dca475b82d00ffbcaf97879d77e (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < e134f3aba98e6c801a693f540912c2d493718ddf (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < 372636debe852913529b1716f44addd94fff2d28 (git) Affected: 16295bec6398a3eedc9377e1af6ff4c71b98c300 , < 8f4f68e788c3a7a696546291258bfa5fdb215523 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T17:18:51.048604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:24:13.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:36.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c",
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb2d3a50a8f29a3c66682bb426144f40e32ab818",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "039fec48e062504f14845124a1a25eb199b2ddc0",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "c9c1334697301c10e6918d747ed38abfbc0c96e7",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "e97bf4ada7dddacd184c3e196bd063b0dc71b41d",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "546c1796ad1ed0d87dab3c4b5156d75819be2316",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "c55fc098fd9d2dca475b82d00ffbcaf97879d77e",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "e134f3aba98e6c801a693f540912c2d493718ddf",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "372636debe852913529b1716f44addd94fff2d28",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
},
{
"lessThan": "8f4f68e788c3a7a696546291258bfa5fdb215523",
"status": "affected",
"version": "16295bec6398a3eedc9377e1af6ff4c71b98c300",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c",
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.331",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.300",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.262",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.202",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.140",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.64",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.13",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix hungtask for PADATA_RESET\n\nWe found a hungtask bug in test_aead_vec_cfg as follows:\n\nINFO: task cryptomgr_test:391009 blocked for more than 120 seconds.\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\nCall trace:\n __switch_to+0x98/0xe0\n __schedule+0x6c4/0xf40\n schedule+0xd8/0x1b4\n schedule_timeout+0x474/0x560\n wait_for_common+0x368/0x4e0\n wait_for_completion+0x20/0x30\n wait_for_completion+0x20/0x30\n test_aead_vec_cfg+0xab4/0xd50\n test_aead+0x144/0x1f0\n alg_test_aead+0xd8/0x1e0\n alg_test+0x634/0x890\n cryptomgr_test+0x40/0x70\n kthread+0x1e0/0x220\n ret_from_fork+0x10/0x18\n Kernel panic - not syncing: hung_task: blocked tasks\n\nFor padata_do_parallel, when the return err is 0 or -EBUSY, it will call\nwait_for_completion(\u0026wait-\u003ecompletion) in test_aead_vec_cfg. In normal\ncase, aead_request_complete() will be called in pcrypt_aead_serial and the\nreturn err is 0 for padata_do_parallel. But, when pinst-\u003eflags is\nPADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it\nwon\u0027t call aead_request_complete(). Therefore, test_aead_vec_cfg will\nhung at wait_for_completion(\u0026wait-\u003ecompletion), which will cause\nhungtask.\n\nThe problem comes as following:\n(padata_do_parallel) |\n rcu_read_lock_bh(); |\n err = -EINVAL; | (padata_replace)\n | pinst-\u003eflags |= PADATA_RESET;\n err = -EBUSY |\n if (pinst-\u003eflags \u0026 PADATA_RESET) |\n rcu_read_unlock_bh() |\n return err\n\nIn order to resolve the problem, we replace the return err -EBUSY with\n-EAGAIN, which means parallel_data is changing, and the caller should call\nit again.\n\nv3:\nremove retry and just change the return err.\nv2:\nintroduce padata_try_do_parallel() in pcrypt_aead_encrypt and\npcrypt_aead_decrypt to solve the hungtask."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T15:43:50.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb2d3a50a8f29a3c66682bb426144f40e32ab818"
},
{
"url": "https://git.kernel.org/stable/c/039fec48e062504f14845124a1a25eb199b2ddc0"
},
{
"url": "https://git.kernel.org/stable/c/c9c1334697301c10e6918d747ed38abfbc0c96e7"
},
{
"url": "https://git.kernel.org/stable/c/e97bf4ada7dddacd184c3e196bd063b0dc71b41d"
},
{
"url": "https://git.kernel.org/stable/c/546c1796ad1ed0d87dab3c4b5156d75819be2316"
},
{
"url": "https://git.kernel.org/stable/c/c55fc098fd9d2dca475b82d00ffbcaf97879d77e"
},
{
"url": "https://git.kernel.org/stable/c/e134f3aba98e6c801a693f540912c2d493718ddf"
},
{
"url": "https://git.kernel.org/stable/c/372636debe852913529b1716f44addd94fff2d28"
},
{
"url": "https://git.kernel.org/stable/c/8f4f68e788c3a7a696546291258bfa5fdb215523"
}
],
"title": "crypto: pcrypt - Fix hungtask for PADATA_RESET",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52813",
"datePublished": "2024-05-21T15:31:21.604Z",
"dateReserved": "2024-05-21T15:19:24.248Z",
"dateUpdated": "2025-07-15T15:43:50.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26735 (GCVE-0-2024-26735)
Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2025-05-04 08:55
VLAI?
EPSS
Title
ipv6: sr: fix possible use-after-free and null-ptr-deref
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: sr: fix possible use-after-free and null-ptr-deref
The pernet operations structure for the subsystem must be registered
before registering the generic netlink family.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 953f42934533c151f440cd32390044d2396b87aa
(git)
Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 82831e3ff76ef09fb184eb93b79a3eb3fb284f1d (git) Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 65c38f23d10ff79feea1e5d50b76dc7af383c1e6 (git) Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 91b020aaa1e59bfb669d34c968e3db3d5416bcee (git) Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 8391b9b651cfdf80ab0f1dc4a489f9d67386e197 (git) Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 9e02973dbc6a91e40aa4f5d87b8c47446fbfce44 (git) Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 02b08db594e8218cfbc0e4680d4331b457968a9b (git) Affected: 915d7e5e5930b4f01d0971d93b9b25ed17d221aa , < 5559cea2d5aa3018a5f00dd2aca3427ba09b386b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T14:17:44.078376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:01:54.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-01T17:03:12.597Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241101-0012/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "953f42934533c151f440cd32390044d2396b87aa",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "82831e3ff76ef09fb184eb93b79a3eb3fb284f1d",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "65c38f23d10ff79feea1e5d50b76dc7af383c1e6",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "91b020aaa1e59bfb669d34c968e3db3d5416bcee",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "8391b9b651cfdf80ab0f1dc4a489f9d67386e197",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "9e02973dbc6a91e40aa4f5d87b8c47446fbfce44",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "02b08db594e8218cfbc0e4680d4331b457968a9b",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
},
{
"lessThan": "5559cea2d5aa3018a5f00dd2aca3427ba09b386b",
"status": "affected",
"version": "915d7e5e5930b4f01d0971d93b9b25ed17d221aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/seg6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.308",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:55:13.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa"
},
{
"url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d"
},
{
"url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6"
},
{
"url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee"
},
{
"url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197"
},
{
"url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44"
},
{
"url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b"
},
{
"url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b"
}
],
"title": "ipv6: sr: fix possible use-after-free and null-ptr-deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26735",
"datePublished": "2024-04-03T17:00:21.972Z",
"dateReserved": "2024-02-19T14:20:24.165Z",
"dateUpdated": "2025-05-04T08:55:13.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35838 (GCVE-0-2024-35838)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:02 – Updated: 2025-05-04 09:06
VLAI?
EPSS
Title
wifi: mac80211: fix potential sta-link leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix potential sta-link leak
When a station is allocated, links are added but not
set to valid yet (e.g. during connection to an AP MLD),
we might remove the station without ever marking links
valid, and leak them. Fix that.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cb71f1d136a635decf43c3b502ee34fb05640fcd , < 49aaeb8c539b1633b3bd7c2df131ec578aa1eae1
(git)
Affected: cb71f1d136a635decf43c3b502ee34fb05640fcd , < 587c5892976108674bbe61a8ff659de279318034 (git) Affected: cb71f1d136a635decf43c3b502ee34fb05640fcd , < e04bf59bdba0fa45d52160be676114e16be855a9 (git) Affected: cb71f1d136a635decf43c3b502ee34fb05640fcd , < b01a74b3ca6fd51b62c67733ba7c3280fa6c5d26 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:39:07.857159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:42:37.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:49.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/49aaeb8c539b1633b3bd7c2df131ec578aa1eae1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/587c5892976108674bbe61a8ff659de279318034"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e04bf59bdba0fa45d52160be676114e16be855a9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b01a74b3ca6fd51b62c67733ba7c3280fa6c5d26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/sta_info.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49aaeb8c539b1633b3bd7c2df131ec578aa1eae1",
"status": "affected",
"version": "cb71f1d136a635decf43c3b502ee34fb05640fcd",
"versionType": "git"
},
{
"lessThan": "587c5892976108674bbe61a8ff659de279318034",
"status": "affected",
"version": "cb71f1d136a635decf43c3b502ee34fb05640fcd",
"versionType": "git"
},
{
"lessThan": "e04bf59bdba0fa45d52160be676114e16be855a9",
"status": "affected",
"version": "cb71f1d136a635decf43c3b502ee34fb05640fcd",
"versionType": "git"
},
{
"lessThan": "b01a74b3ca6fd51b62c67733ba7c3280fa6c5d26",
"status": "affected",
"version": "cb71f1d136a635decf43c3b502ee34fb05640fcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/sta_info.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix potential sta-link leak\n\nWhen a station is allocated, links are added but not\nset to valid yet (e.g. during connection to an AP MLD),\nwe might remove the station without ever marking links\nvalid, and leak them. Fix that."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:06:33.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49aaeb8c539b1633b3bd7c2df131ec578aa1eae1"
},
{
"url": "https://git.kernel.org/stable/c/587c5892976108674bbe61a8ff659de279318034"
},
{
"url": "https://git.kernel.org/stable/c/e04bf59bdba0fa45d52160be676114e16be855a9"
},
{
"url": "https://git.kernel.org/stable/c/b01a74b3ca6fd51b62c67733ba7c3280fa6c5d26"
}
],
"title": "wifi: mac80211: fix potential sta-link leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35838",
"datePublished": "2024-05-17T14:02:36.410Z",
"dateReserved": "2024-05-17T13:50:33.104Z",
"dateUpdated": "2025-05-04T09:06:33.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26982 (GCVE-0-2024-26982)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:27 – Updated: 2026-01-05 10:35
VLAI?
EPSS
Title
Squashfs: check the inode number is not the invalid value of zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check the inode number is not the invalid value of zero
Syskiller has produced an out of bounds access in fill_meta_index().
That out of bounds access is ultimately caused because the inode
has an inode number with the invalid value of zero, which was not checked.
The reason this causes the out of bounds access is due to following
sequence of events:
1. Fill_meta_index() is called to allocate (via empty_meta_index())
and fill a metadata index. It however suffers a data read error
and aborts, invalidating the newly returned empty metadata index.
It does this by setting the inode number of the index to zero,
which means unused (zero is not a valid inode number).
2. When fill_meta_index() is subsequently called again on another
read operation, locate_meta_index() returns the previous index
because it matches the inode number of 0. Because this index
has been returned it is expected to have been filled, and because
it hasn't been, an out of bounds access is performed.
This patch adds a sanity check which checks that the inode number
is not zero when the inode is created and returns -EINVAL if it is.
[phillip@squashfs.org.uk: whitespace fix]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 32c114a58236fe67141634774559f21f1dc96fd7
(git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 4a1b6f89825e267e156ccaeba3d235edcac77f94 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < cf46f88b92cfc0e32bd8a21ba1273cff13b8745f (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 5b99dea79650b50909c50aba24fbae00f203f013 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < be383effaee3d89034f0828038f95065b518772e (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 7def00ebc9f2d6a581ddf46ce4541f84a10680e5 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 9253c54e01b6505d348afbc02abaa4d9f8a01395 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:15:00.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:45:06.926436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:42.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32c114a58236fe67141634774559f21f1dc96fd7",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "4a1b6f89825e267e156ccaeba3d235edcac77f94",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "cf46f88b92cfc0e32bd8a21ba1273cff13b8745f",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "5b99dea79650b50909c50aba24fbae00f203f013",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "be383effaee3d89034f0828038f95065b518772e",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "7def00ebc9f2d6a581ddf46ce4541f84a10680e5",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "9253c54e01b6505d348afbc02abaa4d9f8a01395",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.30",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.8",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn\u0027t been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:35:08.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32c114a58236fe67141634774559f21f1dc96fd7"
},
{
"url": "https://git.kernel.org/stable/c/4a1b6f89825e267e156ccaeba3d235edcac77f94"
},
{
"url": "https://git.kernel.org/stable/c/cf46f88b92cfc0e32bd8a21ba1273cff13b8745f"
},
{
"url": "https://git.kernel.org/stable/c/5b99dea79650b50909c50aba24fbae00f203f013"
},
{
"url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"
},
{
"url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"
},
{
"url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"
}
],
"title": "Squashfs: check the inode number is not the invalid value of zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26982",
"datePublished": "2024-05-01T05:27:11.032Z",
"dateReserved": "2024-02-19T14:20:24.204Z",
"dateUpdated": "2026-01-05T10:35:08.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26906 (GCVE-0-2024-26906)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2026-01-05 10:34
VLAI?
EPSS
Title
x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
When trying to use copy_from_kernel_nofault() to read vsyscall page
through a bpf program, the following oops was reported:
BUG: unable to handle page fault for address: ffffffffff600000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
RIP: 0010:copy_from_kernel_nofault+0x6f/0x110
......
Call Trace:
<TASK>
? copy_from_kernel_nofault+0x6f/0x110
bpf_probe_read_kernel+0x1d/0x50
bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d
trace_call_bpf+0xc5/0x1c0
perf_call_bpf_enter.isra.0+0x69/0xb0
perf_syscall_enter+0x13e/0x200
syscall_trace_enter+0x188/0x1c0
do_syscall_64+0xb5/0xe0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
</TASK>
......
---[ end trace 0000000000000000 ]---
The oops is triggered when:
1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall
page and invokes copy_from_kernel_nofault() which in turn calls
__get_user_asm().
2) Because the vsyscall page address is not readable from kernel space,
a page fault exception is triggered accordingly.
3) handle_page_fault() considers the vsyscall page address as a user
space address instead of a kernel space address. This results in the
fix-up setup by bpf not being applied and a page_fault_oops() is invoked
due to SMAP.
Considering handle_page_fault() has already considered the vsyscall page
address as a userspace address, fix the problem by disallowing vsyscall
page read for copy_from_kernel_nofault().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
75a1a607bb7e6d918be3aca11ec2214a275392f4 , < 6e4694e65b6db4c3de125115dd4f55848cc48381
(git)
Affected: 75a1a607bb7e6d918be3aca11ec2214a275392f4 , < e8a67fe34b76a49320b33032228a794f40b0316b (git) Affected: 75a1a607bb7e6d918be3aca11ec2214a275392f4 , < f175de546a3eb77614d94d4c02550181c0a8493e (git) Affected: 75a1a607bb7e6d918be3aca11ec2214a275392f4 , < 57f78c46f08198e1be08ffe99c4c1ccc12855bf5 (git) Affected: 75a1a607bb7e6d918be3aca11ec2214a275392f4 , < 29bd6f86904682adafe9affbc7f79b14defcaff8 (git) Affected: 75a1a607bb7e6d918be3aca11ec2214a275392f4 , < 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.490Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:47:59.842385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:22.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/mm/maccess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e4694e65b6db4c3de125115dd4f55848cc48381",
"status": "affected",
"version": "75a1a607bb7e6d918be3aca11ec2214a275392f4",
"versionType": "git"
},
{
"lessThan": "e8a67fe34b76a49320b33032228a794f40b0316b",
"status": "affected",
"version": "75a1a607bb7e6d918be3aca11ec2214a275392f4",
"versionType": "git"
},
{
"lessThan": "f175de546a3eb77614d94d4c02550181c0a8493e",
"status": "affected",
"version": "75a1a607bb7e6d918be3aca11ec2214a275392f4",
"versionType": "git"
},
{
"lessThan": "57f78c46f08198e1be08ffe99c4c1ccc12855bf5",
"status": "affected",
"version": "75a1a607bb7e6d918be3aca11ec2214a275392f4",
"versionType": "git"
},
{
"lessThan": "29bd6f86904682adafe9affbc7f79b14defcaff8",
"status": "affected",
"version": "75a1a607bb7e6d918be3aca11ec2214a275392f4",
"versionType": "git"
},
{
"lessThan": "32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58",
"status": "affected",
"version": "75a1a607bb7e6d918be3aca11ec2214a275392f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/mm/maccess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n \u003cTASK\u003e\n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \u003c/TASK\u003e\n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:34:56.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"
},
{
"url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"
},
{
"url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"
},
{
"url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"
},
{
"url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"
},
{
"url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"
}
],
"title": "x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26906",
"datePublished": "2024-04-17T10:27:53.573Z",
"dateReserved": "2024-02-19T14:20:24.187Z",
"dateUpdated": "2026-01-05T10:34:56.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26675 (GCVE-0-2024-26675)
Vulnerability from cvelistv5 – Published: 2024-04-02 07:01 – Updated: 2025-05-04 08:53
VLAI?
EPSS
Title
ppp_async: limit MRU to 64K
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp_async: limit MRU to 64K
syzbot triggered a warning [1] in __alloc_pages():
WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)
Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")
Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)
[1]:
WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
Modules linked in:
CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: events_unbound flush_to_ldisc
pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537
sp : ffff800093967580
x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000
x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0
x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8
x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120
x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005
x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000
x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001
x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0
Call trace:
__alloc_pages+0x308/0x698 mm/page_alloc.c:4543
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
__kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926
__do_kmalloc_node mm/slub.c:3969 [inline]
__kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001
kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590
__alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651
__netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715
netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
dev_alloc_skb include/linux/skbuff.h:3248 [inline]
ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341
tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390
tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:444 [inline]
flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494
process_one_work+0x694/0x1204 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:2787
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 56fae81633ccee307cfcb032f706bf1863a56982 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b06e067e93fa4b98acfd3a9f38a398ab91bbc58b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4e2c4846b2507f6dfc9bea72b7567c2693a82a16 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7e5ef49670766c9742ffcd9cead7cdb018268719 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 210d938f963dddc543b07e66a79b7d8d4bd00bd8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cb88cb53badb8aeb3955ad6ce80b07b598e310b8 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:53:26.335519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:36.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_async.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "56fae81633ccee307cfcb032f706bf1863a56982",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b06e067e93fa4b98acfd3a9f38a398ab91bbc58b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4e2c4846b2507f6dfc9bea72b7567c2693a82a16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e5ef49670766c9742ffcd9cead7cdb018268719",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "210d938f963dddc543b07e66a79b7d8d4bd00bd8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cb88cb53badb8aeb3955ad6ce80b07b598e310b8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ppp/ppp_async.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.78",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp_async: limit MRU to 64K\n\nsyzbot triggered a warning [1] in __alloc_pages():\n\nWARN_ON_ONCE_GFP(order \u003e MAX_PAGE_ORDER, gfp)\n\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\n\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\n\n[1]:\n\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n __do_kmalloc_node mm/slub.c:3969 [inline]\n __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n receive_buf drivers/tty/tty_buffer.c:444 [inline]\n flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:53:42.211Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed"
},
{
"url": "https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982"
},
{
"url": "https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b"
},
{
"url": "https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3"
},
{
"url": "https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16"
},
{
"url": "https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719"
},
{
"url": "https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8"
},
{
"url": "https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8"
}
],
"title": "ppp_async: limit MRU to 64K",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26675",
"datePublished": "2024-04-02T07:01:40.054Z",
"dateReserved": "2024-02-19T14:20:24.151Z",
"dateUpdated": "2025-05-04T08:53:42.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35888 (GCVE-0-2024-35888)
Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2025-05-07 19:58
VLAI?
EPSS
Title
erspan: make sure erspan_base_hdr is present in skb->head
Summary
In the Linux kernel, the following vulnerability has been resolved:
erspan: make sure erspan_base_hdr is present in skb->head
syzbot reported a problem in ip6erspan_rcv() [1]
Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
sure erspan_base_hdr is present in skb linear part (skb->head)
before getting @ver field from it.
Add the missing pskb_may_pull() calls.
v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
because skb->head might have changed.
[1]
BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
pskb_may_pull include/linux/skbuff.h:2756 [inline]
ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
dst_input include/net/dst.h:460 [inline]
ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:314 [inline]
ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5538 [inline]
__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
netif_receive_skb_internal net/core/dev.c:5738 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5798
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
tun_alloc_skb drivers/net/tun.c:1525 [inline]
tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
call_write_iter include/linux/fs.h:2108 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xb63/0x1520 fs/read_write.c:590
ksys_write+0x20f/0x4c0 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x93/0xe0 fs/read_write.c:652
do_syscall_64+0xd5/0x1f0
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
Severity ?
5.5 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0a198e0bb8bef51ced179702ad1af6f9e3715b64 , < 06a939f72a24a7d8251f84cf4c042df86c6666ac
(git)
Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < e54a0c79cdc2548729dd7e2e468b08c5af4d0df5 (git) Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < b14b9f9503ec823ca75be766dcaeff4f0bfeca85 (git) Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < ee0088101beee10fa809716d6245d915b09c37c7 (git) Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < 1db7fcb2b290c47c202b79528824f119fa28937d (git) Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < 4e3fdeecec5707678b0d1f18c259dadb97262e9d (git) Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < 0ac328a5a4138a6c03dfc3f46017bd5c19167446 (git) Affected: cb73ee40b1b381eaf3749e6dbeed567bb38e5258 , < 17af420545a750f763025149fa7b833a4fc8b8f0 (git) Affected: 5195acd38ae48b7b5c186f522cd4351441297859 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T19:58:41.579179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T19:58:44.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c",
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06a939f72a24a7d8251f84cf4c042df86c6666ac",
"status": "affected",
"version": "0a198e0bb8bef51ced179702ad1af6f9e3715b64",
"versionType": "git"
},
{
"lessThan": "e54a0c79cdc2548729dd7e2e468b08c5af4d0df5",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"lessThan": "b14b9f9503ec823ca75be766dcaeff4f0bfeca85",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"lessThan": "ee0088101beee10fa809716d6245d915b09c37c7",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"lessThan": "1db7fcb2b290c47c202b79528824f119fa28937d",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"lessThan": "4e3fdeecec5707678b0d1f18c259dadb97262e9d",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"lessThan": "0ac328a5a4138a6c03dfc3f46017bd5c19167446",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"lessThan": "17af420545a750f763025149fa7b833a4fc8b8f0",
"status": "affected",
"version": "cb73ee40b1b381eaf3749e6dbeed567bb38e5258",
"versionType": "git"
},
{
"status": "affected",
"version": "5195acd38ae48b7b5c186f522cd4351441297859",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_gre.c",
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "4.19.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb-\u003ehead\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb-\u003ehead)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb-\u003ehead might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:56:00.267Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac"
},
{
"url": "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5"
},
{
"url": "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85"
},
{
"url": "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7"
},
{
"url": "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d"
},
{
"url": "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d"
},
{
"url": "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446"
},
{
"url": "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0"
}
],
"title": "erspan: make sure erspan_base_hdr is present in skb-\u003ehead",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35888",
"datePublished": "2024-05-19T08:34:44.428Z",
"dateReserved": "2024-05-17T13:50:33.113Z",
"dateUpdated": "2025-05-07T19:58:44.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35958 (GCVE-0-2024-35958)
Vulnerability from cvelistv5 – Published: 2024-05-20 09:41 – Updated: 2025-05-04 09:09
VLAI?
EPSS
Title
net: ena: Fix incorrect descriptor free behavior
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ena: Fix incorrect descriptor free behavior
ENA has two types of TX queues:
- queues which only process TX packets arriving from the network stack
- queues which only process TX packets forwarded to it by XDP_REDIRECT
or XDP_TX instructions
The ena_free_tx_bufs() cycles through all descriptors in a TX queue
and unmaps + frees every descriptor that hasn't been acknowledged yet
by the device (uncompleted TX transactions).
The function assumes that the processed TX queue is necessarily from
the first category listed above and ends up using napi_consume_skb()
for descriptors belonging to an XDP specific queue.
This patch solves a bug in which, in case of a VF reset, the
descriptors aren't freed correctly, leading to crashes.
Severity ?
5.5 (Medium)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
548c4940b9f1f527f81509468dd60b61418880b6 , < b26aa765f7437e1bbe8db4c1641b12bd5dd378f0
(git)
Affected: 548c4940b9f1f527f81509468dd60b61418880b6 , < fdfbf54d128ab6ab255db138488f9650485795a2 (git) Affected: 548c4940b9f1f527f81509468dd60b61418880b6 , < 19ff8fed3338898b70b2aad831386c78564912e1 (git) Affected: 548c4940b9f1f527f81509468dd60b61418880b6 , < 5c7f2240d9835a7823d87f7460d8eae9f4e504c7 (git) Affected: 548c4940b9f1f527f81509468dd60b61418880b6 , < c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d (git) Affected: 548c4940b9f1f527f81509468dd60b61418880b6 , < bf02d9fe00632d22fa91d34749c7aacf397b6cde (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T18:17:10.294133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T20:13:03.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:49.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amazon/ena/ena_netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b26aa765f7437e1bbe8db4c1641b12bd5dd378f0",
"status": "affected",
"version": "548c4940b9f1f527f81509468dd60b61418880b6",
"versionType": "git"
},
{
"lessThan": "fdfbf54d128ab6ab255db138488f9650485795a2",
"status": "affected",
"version": "548c4940b9f1f527f81509468dd60b61418880b6",
"versionType": "git"
},
{
"lessThan": "19ff8fed3338898b70b2aad831386c78564912e1",
"status": "affected",
"version": "548c4940b9f1f527f81509468dd60b61418880b6",
"versionType": "git"
},
{
"lessThan": "5c7f2240d9835a7823d87f7460d8eae9f4e504c7",
"status": "affected",
"version": "548c4940b9f1f527f81509468dd60b61418880b6",
"versionType": "git"
},
{
"lessThan": "c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d",
"status": "affected",
"version": "548c4940b9f1f527f81509468dd60b61418880b6",
"versionType": "git"
},
{
"lessThan": "bf02d9fe00632d22fa91d34749c7aacf397b6cde",
"status": "affected",
"version": "548c4940b9f1f527f81509468dd60b61418880b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/amazon/ena/ena_netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.156",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.87",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.28",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn\u0027t been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren\u0027t freed correctly, leading to crashes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:09:13.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0"
},
{
"url": "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2"
},
{
"url": "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1"
},
{
"url": "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7"
},
{
"url": "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d"
},
{
"url": "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde"
}
],
"title": "net: ena: Fix incorrect descriptor free behavior",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35958",
"datePublished": "2024-05-20T09:41:50.585Z",
"dateReserved": "2024-05-17T13:50:33.136Z",
"dateUpdated": "2025-05-04T09:09:13.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35890 (GCVE-0-2024-35890)
Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2025-05-09 20:03
VLAI?
EPSS
Title
gro: fix ownership transfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
gro: fix ownership transfer
If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can't be orphaned. Fix this by also removing the reference to the
socket.
For example this could be observed,
kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)
RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
Call Trace:
ipv6_list_rcv+0x250/0x3f0
__netif_receive_skb_list_core+0x49d/0x8f0
netif_receive_skb_list_internal+0x634/0xd40
napi_complete_done+0x1d2/0x7d0
gro_cell_poll+0x118/0x1f0
A similar construction is found in skb_gro_receive, apply the same
change there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e10da5385d20c4bae587bc2921e5fdd9655d5fc , < d225b0ac96dc40d7e8ae2bc227eb2c56e130975f
(git)
Affected: 5e10da5385d20c4bae587bc2921e5fdd9655d5fc , < 2eeab8c47c3c0276e0746bc382f405c9a236a5ad (git) Affected: 5e10da5385d20c4bae587bc2921e5fdd9655d5fc , < fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 (git) Affected: 5e10da5385d20c4bae587bc2921e5fdd9655d5fc , < 5b3b67f731296027cceb3efad881ae281213f86f (git) Affected: 5e10da5385d20c4bae587bc2921e5fdd9655d5fc , < ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T17:20:18.616682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:33:50.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-09T20:03:34.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250509-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/ipv4/udp_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d225b0ac96dc40d7e8ae2bc227eb2c56e130975f",
"status": "affected",
"version": "5e10da5385d20c4bae587bc2921e5fdd9655d5fc",
"versionType": "git"
},
{
"lessThan": "2eeab8c47c3c0276e0746bc382f405c9a236a5ad",
"status": "affected",
"version": "5e10da5385d20c4bae587bc2921e5fdd9655d5fc",
"versionType": "git"
},
{
"lessThan": "fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6",
"status": "affected",
"version": "5e10da5385d20c4bae587bc2921e5fdd9655d5fc",
"versionType": "git"
},
{
"lessThan": "5b3b67f731296027cceb3efad881ae281213f86f",
"status": "affected",
"version": "5e10da5385d20c4bae587bc2921e5fdd9655d5fc",
"versionType": "git"
},
{
"lessThan": "ed4cccef64c1d0d5b91e69f7a8a6697c3a865486",
"status": "affected",
"version": "5e10da5385d20c4bae587bc2921e5fdd9655d5fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/ipv4/udp_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can\u0027t be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:07:42.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f"
},
{
"url": "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad"
},
{
"url": "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6"
},
{
"url": "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f"
},
{
"url": "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486"
}
],
"title": "gro: fix ownership transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35890",
"datePublished": "2024-05-19T08:34:46.085Z",
"dateReserved": "2024-05-17T13:50:33.113Z",
"dateUpdated": "2025-05-09T20:03:34.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52615 (GCVE-0-2023-52615)
Vulnerability from cvelistv5 – Published: 2024-03-18 10:14 – Updated: 2025-05-04 07:39
VLAI?
EPSS
Title
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
There is a dead-lock in the hwrng device read path. This triggers
when the user reads from /dev/hwrng into memory also mmap-ed from
/dev/hwrng. The resulting page fault triggers a recursive read
which then dead-locks.
Fix this by using a stack buffer when calling copy_to_user.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9996508b3353063f2d6c48c1a28a84543d72d70b , < eafd83b92f6c044007a3591cbd476bcf90455990
(git)
Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < 5030d4c798863ccb266563201b341a099e8cdd48 (git) Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < c6a8111aacbfe7a8a70f46cc0de8eed00561693c (git) Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < 26cc6d7006f922df6cc4389248032d955750b2a0 (git) Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < aa8aa16ed9adf1df05bb339d588cf485a011839e (git) Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < ecabe8cd456d3bf81e92c53b074732f3140f170d (git) Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < 6822a14271786150e178869f1495cc03e74c5029 (git) Affected: 9996508b3353063f2d6c48c1a28a84543d72d70b , < 78aafb3884f6bc6636efcc1760c891c8500b9922 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:21.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eafd83b92f6c044007a3591cbd476bcf90455990"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5030d4c798863ccb266563201b341a099e8cdd48"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c6a8111aacbfe7a8a70f46cc0de8eed00561693c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/26cc6d7006f922df6cc4389248032d955750b2a0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aa8aa16ed9adf1df05bb339d588cf485a011839e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ecabe8cd456d3bf81e92c53b074732f3140f170d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6822a14271786150e178869f1495cc03e74c5029"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/78aafb3884f6bc6636efcc1760c891c8500b9922"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:55:19.515526Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:21.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eafd83b92f6c044007a3591cbd476bcf90455990",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "5030d4c798863ccb266563201b341a099e8cdd48",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "c6a8111aacbfe7a8a70f46cc0de8eed00561693c",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "26cc6d7006f922df6cc4389248032d955750b2a0",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "aa8aa16ed9adf1df05bb339d588cf485a011839e",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "ecabe8cd456d3bf81e92c53b074732f3140f170d",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "6822a14271786150e178869f1495cc03e74c5029",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
},
{
"lessThan": "78aafb3884f6bc6636efcc1760c891c8500b9922",
"status": "affected",
"version": "9996508b3353063f2d6c48c1a28a84543d72d70b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: core - Fix page fault dead lock on mmap-ed hwrng\n\nThere is a dead-lock in the hwrng device read path. This triggers\nwhen the user reads from /dev/hwrng into memory also mmap-ed from\n/dev/hwrng. The resulting page fault triggers a recursive read\nwhich then dead-locks.\n\nFix this by using a stack buffer when calling copy_to_user."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:39:56.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eafd83b92f6c044007a3591cbd476bcf90455990"
},
{
"url": "https://git.kernel.org/stable/c/5030d4c798863ccb266563201b341a099e8cdd48"
},
{
"url": "https://git.kernel.org/stable/c/c6a8111aacbfe7a8a70f46cc0de8eed00561693c"
},
{
"url": "https://git.kernel.org/stable/c/26cc6d7006f922df6cc4389248032d955750b2a0"
},
{
"url": "https://git.kernel.org/stable/c/aa8aa16ed9adf1df05bb339d588cf485a011839e"
},
{
"url": "https://git.kernel.org/stable/c/ecabe8cd456d3bf81e92c53b074732f3140f170d"
},
{
"url": "https://git.kernel.org/stable/c/6822a14271786150e178869f1495cc03e74c5029"
},
{
"url": "https://git.kernel.org/stable/c/78aafb3884f6bc6636efcc1760c891c8500b9922"
}
],
"title": "hwrng: core - Fix page fault dead lock on mmap-ed hwrng",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52615",
"datePublished": "2024-03-18T10:14:45.503Z",
"dateReserved": "2024-03-06T09:52:12.089Z",
"dateUpdated": "2025-05-04T07:39:56.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5090 (GCVE-0-2023-5090)
Vulnerability from cvelistv5 – Published: 2023-11-06 10:56 – Updated: 2025-11-08 07:10
VLAI?
EPSS
Title
Kernel: kvm: svm: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs
Summary
A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.
Severity ?
6 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
0:4.18.0-553.8.1.rt7.349.el8_10 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::nfv cpe:/a:redhat:enterprise_linux:8::realtime |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Date Public ?
2023-09-28 00:00
Credits
This issue was discovered by Maxim Levitsky (Red Hat).
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2024:3854",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3854"
},
{
"name": "RHSA-2024:3855",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3855"
},
{
"name": "RHSA-2024:4211",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4211"
},
{
"name": "RHSA-2024:4352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4352"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-5090"
},
{
"name": "RHBZ#2248122",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248122"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv",
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-553.8.1.rt7.349.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos",
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-553.8.1.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-427.16.1.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::nfv",
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::realtime",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-427.16.1.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.2::appstream",
"cpe:/a:redhat:rhel_eus:9.2::crb",
"cpe:/o:redhat:rhel_eus:9.2::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-284.69.1.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.2::nfv",
"cpe:/a:redhat:rhel_eus:9.2::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.14.0-284.69.1.rt14.354.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Maxim Levitsky (Red Hat)."
}
],
"datePublic": "2023-09-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-08T07:10:11.332Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:2758",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2758"
},
{
"name": "RHSA-2024:3854",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3854"
},
{
"name": "RHSA-2024:3855",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:3855"
},
{
"name": "RHSA-2024:4211",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4211"
},
{
"name": "RHSA-2024:4352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4352"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-5090"
},
{
"name": "RHBZ#2248122",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248122"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-20T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-09-28T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Kernel: kvm: svm: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_redhatCweChain": "CWE-755: Improper Handling of Exceptional Conditions"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-5090",
"datePublished": "2023-11-06T10:56:57.062Z",
"dateReserved": "2023-09-20T15:29:32.106Z",
"dateUpdated": "2025-11-08T07:10:11.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27410 (GCVE-0-2024-27410)
Vulnerability from cvelistv5 – Published: 2024-05-17 11:50 – Updated: 2025-06-19 12:39
VLAI?
EPSS
Title
wifi: nl80211: reject iftype change with mesh ID change
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: nl80211: reject iftype change with mesh ID change
It's currently possible to change the mesh ID when the
interface isn't yet in mesh mode, at the same time as
changing it into mesh mode. This leads to an overwrite
of data in the wdev->u union for the interface type it
currently has, causing cfg80211_change_iface() to do
wrong things when switching.
We could probably allow setting an interface to mesh
while setting the mesh ID at the same time by doing a
different order of operations here, but realistically
there's no userspace that's going to do this, so just
disallow changes in iftype when setting mesh ID.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < 930e826962d9f01dcd2220176134427358d112f2
(git)
Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < 177d574be4b58f832354ab1ef5a297aa0c9aa2df (git) Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838 (git) Affected: 7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 , < f78c1375339a291cba492a70eaf12ec501d28a8e (git) Affected: 7a53ad13c09150076b7ddde96c2dfc5622c90b45 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:39:36.191312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:43:50.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:52.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/nl80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "930e826962d9f01dcd2220176134427358d112f2",
"status": "affected",
"version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
"versionType": "git"
},
{
"lessThan": "177d574be4b58f832354ab1ef5a297aa0c9aa2df",
"status": "affected",
"version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
"versionType": "git"
},
{
"lessThan": "a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838",
"status": "affected",
"version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
"versionType": "git"
},
{
"lessThan": "f78c1375339a291cba492a70eaf12ec501d28a8e",
"status": "affected",
"version": "7b0a0e3c3a88260b6fcb017e49f198463aa62ed1",
"versionType": "git"
},
{
"status": "affected",
"version": "7a53ad13c09150076b7ddde96c2dfc5622c90b45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/nl80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.81",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.21",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject iftype change with mesh ID change\n\nIt\u0027s currently possible to change the mesh ID when the\ninterface isn\u0027t yet in mesh mode, at the same time as\nchanging it into mesh mode. This leads to an overwrite\nof data in the wdev-\u003eu union for the interface type it\ncurrently has, causing cfg80211_change_iface() to do\nwrong things when switching.\n\nWe could probably allow setting an interface to mesh\nwhile setting the mesh ID at the same time by doing a\ndifferent order of operations here, but realistically\nthere\u0027s no userspace that\u0027s going to do this, so just\ndisallow changes in iftype when setting mesh ID."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:39:17.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2"
},
{
"url": "https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df"
},
{
"url": "https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838"
},
{
"url": "https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e"
}
],
"title": "wifi: nl80211: reject iftype change with mesh ID change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-27410",
"datePublished": "2024-05-17T11:50:43.212Z",
"dateReserved": "2024-02-25T13:47:42.682Z",
"dateUpdated": "2025-06-19T12:39:17.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52700 (GCVE-0-2023-52700)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:22 – Updated: 2025-05-04 07:41
VLAI?
EPSS
Title
tipc: fix kernel warning when sending SYN message
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix kernel warning when sending SYN message
When sending a SYN message, this kernel stack trace is observed:
...
[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
...
[ 13.398494] Call Trace:
[ 13.398630] <TASK>
[ 13.398630] ? __alloc_skb+0xed/0x1a0
[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]
[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290
[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]
[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]
[ 13.398630] ? __local_bh_enable_ip+0x37/0x80
[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]
[ 13.398630] ? __sys_connect+0x9f/0xd0
[ 13.398630] __sys_connect+0x9f/0xd0
[ 13.398630] ? preempt_count_add+0x4d/0xa0
[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50
[ 13.398630] __x64_sys_connect+0x16/0x20
[ 13.398630] do_syscall_64+0x42/0x90
[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd
It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
to copy to/from iterator") has introduced sanity check for copying
from/to iov iterator. Lacking of copy direction from the iterator
viewpoint would lead to kernel stack trace like above.
This commit fixes this issue by initializing the iov iterator with
the correct copy direction when sending SYN or ACK without data.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-18T14:38:23.667896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T14:28:36.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:35.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54b6082aec178f16ad6d193b4ecdc9c4823d9a32",
"status": "affected",
"version": "f25dcc7687d42a72de18aa41b04990a24c9e77c7",
"versionType": "git"
},
{
"lessThan": "11a4d6f67cf55883dc78e31c247d1903ed7feccc",
"status": "affected",
"version": "f25dcc7687d42a72de18aa41b04990a24c9e77c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.13",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel warning when sending SYN message\n\nWhen sending a SYN message, this kernel stack trace is observed:\n\n...\n[ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550\n...\n[ 13.398494] Call Trace:\n[ 13.398630] \u003cTASK\u003e\n[ 13.398630] ? __alloc_skb+0xed/0x1a0\n[ 13.398630] tipc_msg_build+0x12c/0x670 [tipc]\n[ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290\n[ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc]\n[ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __local_bh_enable_ip+0x37/0x80\n[ 13.398630] tipc_connect+0x1d9/0x230 [tipc]\n[ 13.398630] ? __sys_connect+0x9f/0xd0\n[ 13.398630] __sys_connect+0x9f/0xd0\n[ 13.398630] ? preempt_count_add+0x4d/0xa0\n[ 13.398630] ? fpregs_assert_state_consistent+0x22/0x50\n[ 13.398630] __x64_sys_connect+0x16/0x20\n[ 13.398630] do_syscall_64+0x42/0x90\n[ 13.398630] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because commit a41dad905e5a (\"iov_iter: saner checks for attempt\nto copy to/from iterator\") has introduced sanity check for copying\nfrom/to iov iterator. Lacking of copy direction from the iterator\nviewpoint would lead to kernel stack trace like above.\n\nThis commit fixes this issue by initializing the iov iterator with\nthe correct copy direction when sending SYN or ACK without data."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:41:53.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32"
},
{
"url": "https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc"
}
],
"title": "tipc: fix kernel warning when sending SYN message",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52700",
"datePublished": "2024-05-21T15:22:50.702Z",
"dateReserved": "2024-03-07T14:49:46.891Z",
"dateUpdated": "2025-05-04T07:41:53.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…