Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0334
Vulnerability from certfr_avis - Published: 2024-04-19 - Updated: 2024-04-19
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Elles permettent à un attaquant de provoquer un déni de service, une atteinte à la confidentialité des données et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian bookworm versions ant\u00e9rieures \u00e0 6.1.85-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-26601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26601"
},
{
"name": "CVE-2023-52633",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52633"
},
{
"name": "CVE-2023-52622",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52622"
},
{
"name": "CVE-2024-26696",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26696"
},
{
"name": "CVE-2024-26654",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26654"
},
{
"name": "CVE-2024-26816",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26816"
},
{
"name": "CVE-2023-52621",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52621"
},
{
"name": "CVE-2024-26629",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26629"
},
{
"name": "CVE-2024-26586",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26586"
},
{
"name": "CVE-2024-26715",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26715"
},
{
"name": "CVE-2023-52637",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52637"
},
{
"name": "CVE-2024-26585",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26585"
},
{
"name": "CVE-2024-26754",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26754"
},
{
"name": "CVE-2024-26700",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26700"
},
{
"name": "CVE-2023-52630",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52630"
},
{
"name": "CVE-2023-52429",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52429"
},
{
"name": "CVE-2024-26790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26790"
},
{
"name": "CVE-2024-26704",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26704"
},
{
"name": "CVE-2024-26750",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26750"
},
{
"name": "CVE-2024-26671",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26671"
},
{
"name": "CVE-2024-26603",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26603"
},
{
"name": "CVE-2024-27437",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27437"
},
{
"name": "CVE-2024-26712",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26712"
},
{
"name": "CVE-2024-26600",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26600"
},
{
"name": "CVE-2023-28746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28746"
},
{
"name": "CVE-2023-52640",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52640"
},
{
"name": "CVE-2023-52635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52635"
},
{
"name": "CVE-2024-26726",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26726"
},
{
"name": "CVE-2023-52593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52593"
},
{
"name": "CVE-2024-26802",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26802"
},
{
"name": "CVE-2023-52638",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52638"
},
{
"name": "CVE-2024-26815",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26815"
},
{
"name": "CVE-2024-26805",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26805"
},
{
"name": "CVE-2024-26665",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26665"
},
{
"name": "CVE-2024-26774",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26774"
},
{
"name": "CVE-2024-26627",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26627"
},
{
"name": "CVE-2024-26581",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26581"
},
{
"name": "CVE-2023-52632",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52632"
},
{
"name": "CVE-2023-52600",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52600"
},
{
"name": "CVE-2023-52587",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52587"
},
{
"name": "CVE-2024-26698",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26698"
},
{
"name": "CVE-2024-26686",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26686"
},
{
"name": "CVE-2024-26702",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26702"
},
{
"name": "CVE-2024-26673",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26673"
},
{
"name": "CVE-2024-26720",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26720"
},
{
"name": "CVE-2024-26801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26801"
},
{
"name": "CVE-2023-52618",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52618"
},
{
"name": "CVE-2024-26742",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26742"
},
{
"name": "CVE-2023-7042",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-7042"
},
{
"name": "CVE-2024-26643",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26643"
},
{
"name": "CVE-2024-26780",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26780"
},
{
"name": "CVE-2024-26779",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26779"
},
{
"name": "CVE-2024-26590",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26590"
},
{
"name": "CVE-2023-52604",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52604"
},
{
"name": "CVE-2023-52601",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52601"
},
{
"name": "CVE-2024-26773",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26773"
},
{
"name": "CVE-2024-26722",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26722"
},
{
"name": "CVE-2024-26679",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26679"
},
{
"name": "CVE-2023-52616",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52616"
},
{
"name": "CVE-2024-26763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26763"
},
{
"name": "CVE-2023-52435",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52435"
},
{
"name": "CVE-2024-26707",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26707"
},
{
"name": "CVE-2024-26749",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26749"
},
{
"name": "CVE-2023-52603",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52603"
},
{
"name": "CVE-2024-26695",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26695"
},
{
"name": "CVE-2024-26789",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26789"
},
{
"name": "CVE-2023-52619",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52619"
},
{
"name": "CVE-2024-26727",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26727"
},
{
"name": "CVE-2023-52617",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52617"
},
{
"name": "CVE-2024-26804",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26804"
},
{
"name": "CVE-2024-26593",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26593"
},
{
"name": "CVE-2024-26751",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26751"
},
{
"name": "CVE-2023-6270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6270"
},
{
"name": "CVE-2024-26743",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26743"
},
{
"name": "CVE-2024-26676",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26676"
},
{
"name": "CVE-2024-26787",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26787"
},
{
"name": "CVE-2024-26814",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26814"
},
{
"name": "CVE-2024-24858",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24858"
},
{
"name": "CVE-2024-26765",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26765"
},
{
"name": "CVE-2023-52584",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52584"
},
{
"name": "CVE-2024-26606",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26606"
},
{
"name": "CVE-2024-26781",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26781"
},
{
"name": "CVE-2024-26625",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26625"
},
{
"name": "CVE-2024-26748",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26748"
},
{
"name": "CVE-2024-26782",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26782"
},
{
"name": "CVE-2023-52631",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52631"
},
{
"name": "CVE-2023-2176",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2176"
},
{
"name": "CVE-2023-52589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52589"
},
{
"name": "CVE-2024-26697",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26697"
},
{
"name": "CVE-2024-26792",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26792"
},
{
"name": "CVE-2024-26803",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26803"
},
{
"name": "CVE-2024-26626",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26626"
},
{
"name": "CVE-2024-26741",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26741"
},
{
"name": "CVE-2024-26583",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26583"
},
{
"name": "CVE-2024-26642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26642"
},
{
"name": "CVE-2024-26680",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26680"
},
{
"name": "CVE-2023-52639",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52639"
},
{
"name": "CVE-2024-26685",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26685"
},
{
"name": "CVE-2024-26733",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26733"
},
{
"name": "CVE-2023-52599",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52599"
},
{
"name": "CVE-2024-26812",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26812"
},
{
"name": "CVE-2024-26688",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26688"
},
{
"name": "CVE-2024-26663",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26663"
},
{
"name": "CVE-2024-26675",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26675"
},
{
"name": "CVE-2024-24857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24857"
},
{
"name": "CVE-2023-52583",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52583"
},
{
"name": "CVE-2024-26584",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26584"
},
{
"name": "CVE-2023-52602",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52602"
},
{
"name": "CVE-2024-26681",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26681"
},
{
"name": "CVE-2024-23850",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23850"
},
{
"name": "CVE-2024-26800",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26800"
},
{
"name": "CVE-2024-0841",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0841"
},
{
"name": "CVE-2024-26651",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26651"
},
{
"name": "CVE-2024-26776",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26776"
},
{
"name": "CVE-2024-1151",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1151"
},
{
"name": "CVE-2024-26735",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26735"
},
{
"name": "CVE-2023-47233",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47233"
},
{
"name": "CVE-2024-26640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26640"
},
{
"name": "CVE-2023-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52434"
},
{
"name": "CVE-2024-23851",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23851"
},
{
"name": "CVE-2024-26714",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26714"
},
{
"name": "CVE-2023-52588",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52588"
},
{
"name": "CVE-2024-26771",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26771"
},
{
"name": "CVE-2024-26769",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26769"
},
{
"name": "CVE-2024-26723",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26723"
},
{
"name": "CVE-2024-26737",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26737"
},
{
"name": "CVE-2024-26602",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26602"
},
{
"name": "CVE-2024-22099",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22099"
},
{
"name": "CVE-2024-26775",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26775"
},
{
"name": "CVE-2024-26747",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26747"
},
{
"name": "CVE-2023-52598",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52598"
},
{
"name": "CVE-2024-26753",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26753"
},
{
"name": "CVE-2023-52620",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52620"
},
{
"name": "CVE-2024-26659",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26659"
},
{
"name": "CVE-2024-26793",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26793"
},
{
"name": "CVE-2024-26639",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26639"
},
{
"name": "CVE-2023-52594",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52594"
},
{
"name": "CVE-2024-26687",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26687"
},
{
"name": "CVE-2024-26718",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26718"
},
{
"name": "CVE-2023-52595",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52595"
},
{
"name": "CVE-2024-26752",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26752"
},
{
"name": "CVE-2023-52623",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52623"
},
{
"name": "CVE-2024-26736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26736"
},
{
"name": "CVE-2024-26759",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26759"
},
{
"name": "CVE-2024-26621",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26621"
},
{
"name": "CVE-2024-26660",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26660"
},
{
"name": "CVE-2024-26777",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26777"
},
{
"name": "CVE-2024-26764",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26764"
},
{
"name": "CVE-2024-26689",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26689"
},
{
"name": "CVE-2023-52606",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52606"
},
{
"name": "CVE-2024-26778",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26778"
},
{
"name": "CVE-2024-26760",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26760"
},
{
"name": "CVE-2024-26811",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26811"
},
{
"name": "CVE-2024-26667",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26667"
},
{
"name": "CVE-2023-52597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52597"
},
{
"name": "CVE-2024-26710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26710"
},
{
"name": "CVE-2024-26717",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26717"
},
{
"name": "CVE-2024-26582",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26582"
},
{
"name": "CVE-2024-2201",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2201"
},
{
"name": "CVE-2024-26813",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26813"
},
{
"name": "CVE-2024-26798",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26798"
},
{
"name": "CVE-2024-26641",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26641"
},
{
"name": "CVE-2024-0340",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0340"
},
{
"name": "CVE-2024-26744",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26744"
},
{
"name": "CVE-2024-26791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26791"
},
{
"name": "CVE-2023-52641",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52641"
},
{
"name": "CVE-2024-26810",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26810"
},
{
"name": "CVE-2024-26706",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26706"
},
{
"name": "CVE-2024-26772",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26772"
},
{
"name": "CVE-2024-26766",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26766"
},
{
"name": "CVE-2024-26795",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26795"
},
{
"name": "CVE-2024-26664",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26664"
},
{
"name": "CVE-2024-26809",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26809"
},
{
"name": "CVE-2024-26745",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26745"
},
{
"name": "CVE-2024-26731",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26731"
},
{
"name": "CVE-2023-52607",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52607"
},
{
"name": "CVE-2024-26788",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26788"
},
{
"name": "CVE-2024-26684",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26684"
},
{
"name": "CVE-2024-26622",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26622"
},
{
"name": "CVE-2024-26761",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26761"
}
],
"initial_release_date": "2024-04-19T00:00:00",
"last_revision_date": "2024-04-19T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0334",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-04-19T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003ele noyau Linux de Debian\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer un d\u00e9ni de service, une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Debian msg00066 du 13 avril 2024",
"url": "https://lists.debian.org/debian-security-announce/2024/msg00066.html"
}
]
}
CVE-2024-26715 (GCVE-0-2024-26715)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-23 15:37
VLAI
EPSS
Title
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
In current scenario if Plug-out and Plug-In performed continuously
there could be a chance while checking for dwc->gadget_driver in
dwc3_gadget_suspend, a NULL pointer dereference may occur.
Call Stack:
CPU1: CPU2:
gadget_unbind_driver dwc3_suspend_common
dwc3_gadget_stop dwc3_gadget_suspend
dwc3_disconnect_gadget
CPU1 basically clears the variable and CPU2 checks the variable.
Consider CPU1 is running and right before gadget_driver is cleared
and in parallel CPU2 executes dwc3_gadget_suspend where it finds
dwc->gadget_driver which is not NULL and resumes execution and then
CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where
it checks dwc->gadget_driver is already NULL because of which the
NULL pointer deference occur.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9772b47a4c2916d645c551228b6085ea24acbe5d , < 88936ceab6b426f1312327e9ef849c215c6007a7
(git)
Affected: 9772b47a4c2916d645c551228b6085ea24acbe5d , < 57e2e42ccd3cd6183228269715ed032f44536751 (git) Affected: 9772b47a4c2916d645c551228b6085ea24acbe5d , < c7ebd8149ee519d27232e6e4940e9c02071b568b (git) Affected: 9772b47a4c2916d645c551228b6085ea24acbe5d , < 36695d5eeeefe5a64b47d0336e7c8fc144e78182 (git) Affected: 9772b47a4c2916d645c551228b6085ea24acbe5d , < 61a348857e869432e6a920ad8ea9132e8d44c316 (git) Affected: 8cca5c85393a7a490d4d7942c24d73d29cc77b3e (git) Affected: df2ca3271569367352835f981618e284fdc4ca94 (git) Affected: 3.16.81 , < 3.17 (semver) Affected: 4.4.178 , < 4.5 (semver) |
|
| Linux | Linux |
Affected:
4.6
Unaffected: 0 , < 4.6 (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T17:49:51.140719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:25.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/88936ceab6b426f1312327e9ef849c215c6007a7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/57e2e42ccd3cd6183228269715ed032f44536751"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c7ebd8149ee519d27232e6e4940e9c02071b568b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/36695d5eeeefe5a64b47d0336e7c8fc144e78182"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/61a348857e869432e6a920ad8ea9132e8d44c316"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88936ceab6b426f1312327e9ef849c215c6007a7",
"status": "affected",
"version": "9772b47a4c2916d645c551228b6085ea24acbe5d",
"versionType": "git"
},
{
"lessThan": "57e2e42ccd3cd6183228269715ed032f44536751",
"status": "affected",
"version": "9772b47a4c2916d645c551228b6085ea24acbe5d",
"versionType": "git"
},
{
"lessThan": "c7ebd8149ee519d27232e6e4940e9c02071b568b",
"status": "affected",
"version": "9772b47a4c2916d645c551228b6085ea24acbe5d",
"versionType": "git"
},
{
"lessThan": "36695d5eeeefe5a64b47d0336e7c8fc144e78182",
"status": "affected",
"version": "9772b47a4c2916d645c551228b6085ea24acbe5d",
"versionType": "git"
},
{
"lessThan": "61a348857e869432e6a920ad8ea9132e8d44c316",
"status": "affected",
"version": "9772b47a4c2916d645c551228b6085ea24acbe5d",
"versionType": "git"
},
{
"status": "affected",
"version": "8cca5c85393a7a490d4d7942c24d73d29cc77b3e",
"versionType": "git"
},
{
"status": "affected",
"version": "df2ca3271569367352835f981618e284fdc4ca94",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.81",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.178",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.178",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend\n\nIn current scenario if Plug-out and Plug-In performed continuously\nthere could be a chance while checking for dwc-\u003egadget_driver in\ndwc3_gadget_suspend, a NULL pointer dereference may occur.\n\nCall Stack:\n\n\tCPU1: CPU2:\n\tgadget_unbind_driver dwc3_suspend_common\n\tdwc3_gadget_stop dwc3_gadget_suspend\n dwc3_disconnect_gadget\n\nCPU1 basically clears the variable and CPU2 checks the variable.\nConsider CPU1 is running and right before gadget_driver is cleared\nand in parallel CPU2 executes dwc3_gadget_suspend where it finds\ndwc-\u003egadget_driver which is not NULL and resumes execution and then\nCPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where\nit checks dwc-\u003egadget_driver is already NULL because of which the\nNULL pointer deference occur."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:37:13.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88936ceab6b426f1312327e9ef849c215c6007a7"
},
{
"url": "https://git.kernel.org/stable/c/57e2e42ccd3cd6183228269715ed032f44536751"
},
{
"url": "https://git.kernel.org/stable/c/c7ebd8149ee519d27232e6e4940e9c02071b568b"
},
{
"url": "https://git.kernel.org/stable/c/36695d5eeeefe5a64b47d0336e7c8fc144e78182"
},
{
"url": "https://git.kernel.org/stable/c/61a348857e869432e6a920ad8ea9132e8d44c316"
}
],
"title": "usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26715",
"datePublished": "2024-04-03T14:55:16.395Z",
"dateReserved": "2024-02-19T14:20:24.160Z",
"dateUpdated": "2026-05-23T15:37:13.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26717 (GCVE-0-2024-26717)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-11 20:02
VLAI
EPSS
Title
HID: i2c-hid-of: fix NULL-deref on failed power up
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: i2c-hid-of: fix NULL-deref on failed power up
A while back the I2C HID implementation was split in an ACPI and OF
part, but the new OF driver never initialises the client pointer which
is dereferenced on power-up failures.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b33752c300232d7f95dd9a4353947d0c9e6a0e52 , < 62f5d219edbd174829aa18d4b3d97cd5fefbb783
(git)
Affected: b33752c300232d7f95dd9a4353947d0c9e6a0e52 , < d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c (git) Affected: b33752c300232d7f95dd9a4353947d0c9e6a0e52 , < 4cad91344a62536a2949873bad6365fbb6232776 (git) Affected: b33752c300232d7f95dd9a4353947d0c9e6a0e52 , < e28d6b63aeecbda450935fb58db0e682ea8212d3 (git) Affected: b33752c300232d7f95dd9a4353947d0c9e6a0e52 , < 00aab7dcb2267f2aef59447602f34501efe1a07f (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/62f5d219edbd174829aa18d4b3d97cd5fefbb783"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4cad91344a62536a2949873bad6365fbb6232776"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e28d6b63aeecbda450935fb58db0e682ea8212d3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/00aab7dcb2267f2aef59447602f34501efe1a07f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:52:26.621999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:24.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/i2c-hid/i2c-hid-of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62f5d219edbd174829aa18d4b3d97cd5fefbb783",
"status": "affected",
"version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52",
"versionType": "git"
},
{
"lessThan": "d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c",
"status": "affected",
"version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52",
"versionType": "git"
},
{
"lessThan": "4cad91344a62536a2949873bad6365fbb6232776",
"status": "affected",
"version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52",
"versionType": "git"
},
{
"lessThan": "e28d6b63aeecbda450935fb58db0e682ea8212d3",
"status": "affected",
"version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52",
"versionType": "git"
},
{
"lessThan": "00aab7dcb2267f2aef59447602f34501efe1a07f",
"status": "affected",
"version": "b33752c300232d7f95dd9a4353947d0c9e6a0e52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/i2c-hid/i2c-hid-of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid-of: fix NULL-deref on failed power up\n\nA while back the I2C HID implementation was split in an ACPI and OF\npart, but the new OF driver never initialises the client pointer which\nis dereferenced on power-up failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:02:48.133Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62f5d219edbd174829aa18d4b3d97cd5fefbb783"
},
{
"url": "https://git.kernel.org/stable/c/d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c"
},
{
"url": "https://git.kernel.org/stable/c/4cad91344a62536a2949873bad6365fbb6232776"
},
{
"url": "https://git.kernel.org/stable/c/e28d6b63aeecbda450935fb58db0e682ea8212d3"
},
{
"url": "https://git.kernel.org/stable/c/00aab7dcb2267f2aef59447602f34501efe1a07f"
}
],
"title": "HID: i2c-hid-of: fix NULL-deref on failed power up",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26717",
"datePublished": "2024-04-03T14:55:18.063Z",
"dateReserved": "2024-02-19T14:20:24.161Z",
"dateUpdated": "2026-05-11T20:02:48.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26718 (GCVE-0-2024-26718)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-11 20:02
VLAI
EPSS
Title
dm-crypt, dm-verity: disable tasklets
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-crypt, dm-verity: disable tasklets
Tasklets have an inherent problem with memory corruption. The function
tasklet_action_common calls tasklet_trylock, then it calls the tasklet
callback and then it calls tasklet_unlock. If the tasklet callback frees
the structure that contains the tasklet or if it calls some code that may
free it, tasklet_unlock will write into free memory.
The commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but
it is not a sufficient fix and the data corruption can still happen [1].
There is no fix for dm-verity and dm-verity will write into free memory
with every tasklet-processed bio.
There will be atomic workqueues implemented in the kernel 6.9 [2]. They
will have better interface and they will not suffer from the memory
corruption problem.
But we need something that stops the memory corruption now and that can be
backported to the stable kernels. So, I'm proposing this commit that
disables tasklets in both dm-crypt and dm-verity. This commit doesn't
remove the tasklet support, because the tasklet code will be reused when
atomic workqueues will be implemented.
[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/
[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 , < b825e0f9d68c178072bffd32dd34c39e3d2d597a
(git)
Affected: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 , < 30884a44e0cedc3dfda8c22432f3ba4078ec2d94 (git) Affected: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 , < 5735a2671ffb70ea29ca83969fe01316ee2ed6fc (git) Affected: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 , < 0c45a20cbe68bc4d681734f5c03891124a274257 (git) Affected: 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 , < 0a9bab391e336489169b95cb0d4553d921302189 (git) |
|
| Linux | Linux |
Affected:
5.9
Unaffected: 0 , < 5.9 (semver) Unaffected: 5.15.169 , ≤ 5.15.* (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26718",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:52:23.335095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:24.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-crypt.c",
"drivers/md/dm-verity-target.c",
"drivers/md/dm-verity.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b825e0f9d68c178072bffd32dd34c39e3d2d597a",
"status": "affected",
"version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877",
"versionType": "git"
},
{
"lessThan": "30884a44e0cedc3dfda8c22432f3ba4078ec2d94",
"status": "affected",
"version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877",
"versionType": "git"
},
{
"lessThan": "5735a2671ffb70ea29ca83969fe01316ee2ed6fc",
"status": "affected",
"version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877",
"versionType": "git"
},
{
"lessThan": "0c45a20cbe68bc4d681734f5c03891124a274257",
"status": "affected",
"version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877",
"versionType": "git"
},
{
"lessThan": "0a9bab391e336489169b95cb0d4553d921302189",
"status": "affected",
"version": "39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-crypt.c",
"drivers/md/dm-verity-target.c",
"drivers/md/dm-verity.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.169",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I\u0027m proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn\u0027t\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:02:49.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b825e0f9d68c178072bffd32dd34c39e3d2d597a"
},
{
"url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94"
},
{
"url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc"
},
{
"url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257"
},
{
"url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189"
}
],
"title": "dm-crypt, dm-verity: disable tasklets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26718",
"datePublished": "2024-04-03T14:55:18.756Z",
"dateReserved": "2024-02-19T14:20:24.161Z",
"dateUpdated": "2026-05-11T20:02:49.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26720 (GCVE-0-2024-26720)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2024-12-19 11:15
VLAI
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2024-12-19T11:15:27.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26720",
"datePublished": "2024-04-03T14:55:20.286Z",
"dateRejected": "2024-12-19T11:15:27.766Z",
"dateReserved": "2024-02-19T14:20:24.161Z",
"dateUpdated": "2024-12-19T11:15:27.766Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26722 (GCVE-0-2024-26722)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-23 15:37
VLAI
EPSS
Title
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
There is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex
is left locked forever. That may lead to deadlock
when rt5645_jack_detect_work() is called for the second time.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
48ce529c83522944f116f03884819051f44f0fb6 , < 3dd2d99e2352903d0e0b8769e6c9b8293c7454b2
(git)
Affected: b67005b284ddaf62043468d1ce5905c17d85b0e6 , < 422d5243b9f780abd3d39da2b746e3915677b07d (git) Affected: ffe13302b8fd486f80c98019bdcb7f3e512d0eda , < 4a98bc739d0753a5810ce5630943cd7614c7717e (git) Affected: 7a3ff8a2bb2620ba6a806f0967c38be1a8d306d9 , < d14b8e2005f36319df9412d42037416d64827f6b (git) Affected: 1613195bf31e68b192bc731bea71726773e3482f , < 1f0d7792e9023e8658e901b7b76a555f6aa052ec (git) Affected: 8f82f2e4d9c4966282e494ae67b0bc05a6c2b904 , < 050ad2ca0ac169dd9e552075d2c6af1bbb46534c (git) Affected: cdba4301adda7c60a2064bf808e48fccd352aaa9 , < ed5b8b735369b40d6c1f8ef3e62d369f74b4c491 (git) Affected: cdba4301adda7c60a2064bf808e48fccd352aaa9 , < 6ef5d5b92f7117b324efaac72b3db27ae8bb3082 (git) Affected: 4.19.306 , < 4.19.307 (semver) Affected: 5.4.268 , < 5.4.269 (semver) Affected: 5.10.209 , < 5.10.210 (semver) Affected: 5.15.148 , < 5.15.149 (semver) Affected: 6.1.74 , < 6.1.79 (semver) Affected: 6.6.13 , < 6.6.18 (semver) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 4.19.307 , ≤ 4.19.* (semver) Unaffected: 5.4.269 , ≤ 5.4.* (semver) Unaffected: 5.10.210 , ≤ 5.10.* (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T17:40:07.128865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:40.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293c7454b2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/422d5243b9f780abd3d39da2b746e3915677b07d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4a98bc739d0753a5810ce5630943cd7614c7717e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d14b8e2005f36319df9412d42037416d64827f6b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1f0d7792e9023e8658e901b7b76a555f6aa052ec"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/050ad2ca0ac169dd9e552075d2c6af1bbb46534c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ed5b8b735369b40d6c1f8ef3e62d369f74b4c491"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6ef5d5b92f7117b324efaac72b3db27ae8bb3082"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt5645.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3dd2d99e2352903d0e0b8769e6c9b8293c7454b2",
"status": "affected",
"version": "48ce529c83522944f116f03884819051f44f0fb6",
"versionType": "git"
},
{
"lessThan": "422d5243b9f780abd3d39da2b746e3915677b07d",
"status": "affected",
"version": "b67005b284ddaf62043468d1ce5905c17d85b0e6",
"versionType": "git"
},
{
"lessThan": "4a98bc739d0753a5810ce5630943cd7614c7717e",
"status": "affected",
"version": "ffe13302b8fd486f80c98019bdcb7f3e512d0eda",
"versionType": "git"
},
{
"lessThan": "d14b8e2005f36319df9412d42037416d64827f6b",
"status": "affected",
"version": "7a3ff8a2bb2620ba6a806f0967c38be1a8d306d9",
"versionType": "git"
},
{
"lessThan": "1f0d7792e9023e8658e901b7b76a555f6aa052ec",
"status": "affected",
"version": "1613195bf31e68b192bc731bea71726773e3482f",
"versionType": "git"
},
{
"lessThan": "050ad2ca0ac169dd9e552075d2c6af1bbb46534c",
"status": "affected",
"version": "8f82f2e4d9c4966282e494ae67b0bc05a6c2b904",
"versionType": "git"
},
{
"lessThan": "ed5b8b735369b40d6c1f8ef3e62d369f74b4c491",
"status": "affected",
"version": "cdba4301adda7c60a2064bf808e48fccd352aaa9",
"versionType": "git"
},
{
"lessThan": "6ef5d5b92f7117b324efaac72b3db27ae8bb3082",
"status": "affected",
"version": "cdba4301adda7c60a2064bf808e48fccd352aaa9",
"versionType": "git"
},
{
"lessThan": "4.19.307",
"status": "affected",
"version": "4.19.306",
"versionType": "semver"
},
{
"lessThan": "5.4.269",
"status": "affected",
"version": "5.4.268",
"versionType": "semver"
},
{
"lessThan": "5.10.210",
"status": "affected",
"version": "5.10.209",
"versionType": "semver"
},
{
"lessThan": "5.15.149",
"status": "affected",
"version": "5.15.148",
"versionType": "semver"
},
{
"lessThan": "6.1.79",
"status": "affected",
"version": "6.1.74",
"versionType": "semver"
},
{
"lessThan": "6.6.18",
"status": "affected",
"version": "6.6.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt5645.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "4.19.306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "5.4.268",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "5.10.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "6.1.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "6.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()\n\nThere is a path in rt5645_jack_detect_work(), where rt5645-\u003ejd_mutex\nis left locked forever. That may lead to deadlock\nwhen rt5645_jack_detect_work() is called for the second time.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:37:18.668Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293c7454b2"
},
{
"url": "https://git.kernel.org/stable/c/422d5243b9f780abd3d39da2b746e3915677b07d"
},
{
"url": "https://git.kernel.org/stable/c/4a98bc739d0753a5810ce5630943cd7614c7717e"
},
{
"url": "https://git.kernel.org/stable/c/d14b8e2005f36319df9412d42037416d64827f6b"
},
{
"url": "https://git.kernel.org/stable/c/1f0d7792e9023e8658e901b7b76a555f6aa052ec"
},
{
"url": "https://git.kernel.org/stable/c/050ad2ca0ac169dd9e552075d2c6af1bbb46534c"
},
{
"url": "https://git.kernel.org/stable/c/ed5b8b735369b40d6c1f8ef3e62d369f74b4c491"
},
{
"url": "https://git.kernel.org/stable/c/6ef5d5b92f7117b324efaac72b3db27ae8bb3082"
}
],
"title": "ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26722",
"datePublished": "2024-04-03T14:55:21.709Z",
"dateReserved": "2024-02-19T14:20:24.163Z",
"dateUpdated": "2026-05-23T15:37:18.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26723 (GCVE-0-2024-26723)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-11 20:02
VLAI
EPSS
Title
lan966x: Fix crash when adding interface under a lag
Summary
In the Linux kernel, the following vulnerability has been resolved:
lan966x: Fix crash when adding interface under a lag
There is a crash when adding one of the lan966x interfaces under a lag
interface. The issue can be reproduced like this:
ip link add name bond0 type bond miimon 100 mode balance-xor
ip link set dev eth0 master bond0
The reason is because when adding a interface under the lag it would go
through all the ports and try to figure out which other ports are under
that lag interface. And the issue is that lan966x can have ports that are
NULL pointer as they are not probed. So then iterating over these ports
it would just crash as they are NULL pointers.
The fix consists in actually checking for NULL pointers before accessing
something from the ports. Like we do in other places.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cabc9d49333df72fe0f6d58bdcf9057ba341e701 , < b9357489c46c7a43999964628db8b47d3a1f8672
(git)
Affected: cabc9d49333df72fe0f6d58bdcf9057ba341e701 , < 48fae67d837488c87379f0c9f27df7391718477c (git) Affected: cabc9d49333df72fe0f6d58bdcf9057ba341e701 , < 2a492f01228b7d091dfe38974ef40dccf8f9f2f1 (git) Affected: cabc9d49333df72fe0f6d58bdcf9057ba341e701 , < 15faa1f67ab405d47789d4702f587ec7df7ef03e (git) |
|
| Linux | Linux |
Affected:
6.1
Unaffected: 0 , < 6.1 (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
|
| linux | linux_kernel |
Affected:
cabc9d49333d , < b9357489c46c
(custom)
Affected: cabc9d49333d , < 48fae67d8374 (custom) Affected: cabc9d49333d , < 2a492f01228b (custom) Affected: cabc9d49333d , < 15faa1f67ab4 (custom) Affected: 6.1 Unaffected: 0 , < 6.1 (custom) Unaffected: 6.1.79 , ≤ 6.2 (custom) Unaffected: 6.6.18 , ≤ 6.7 (custom) Unaffected: 6.76 , ≤ 6.8 (custom) Unaffected: 0 , ≤ 6.8 (custom) cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "b9357489c46c",
"status": "affected",
"version": "cabc9d49333d",
"versionType": "custom"
},
{
"lessThan": "48fae67d8374",
"status": "affected",
"version": "cabc9d49333d",
"versionType": "custom"
},
{
"lessThan": "2a492f01228b",
"status": "affected",
"version": "cabc9d49333d",
"versionType": "custom"
},
{
"lessThan": "15faa1f67ab4",
"status": "affected",
"version": "cabc9d49333d",
"versionType": "custom"
},
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.2",
"status": "unaffected",
"version": "6.1.79",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.7",
"status": "unaffected",
"version": "6.6.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.8",
"status": "unaffected",
"version": "6.76",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T14:40:24.360692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T14:53:54.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9357489c46c7a43999964628db8b47d3a1f8672",
"status": "affected",
"version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701",
"versionType": "git"
},
{
"lessThan": "48fae67d837488c87379f0c9f27df7391718477c",
"status": "affected",
"version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701",
"versionType": "git"
},
{
"lessThan": "2a492f01228b7d091dfe38974ef40dccf8f9f2f1",
"status": "affected",
"version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701",
"versionType": "git"
},
{
"lessThan": "15faa1f67ab405d47789d4702f587ec7df7ef03e",
"status": "affected",
"version": "cabc9d49333df72fe0f6d58bdcf9057ba341e701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix crash when adding interface under a lag\n\nThere is a crash when adding one of the lan966x interfaces under a lag\ninterface. The issue can be reproduced like this:\nip link add name bond0 type bond miimon 100 mode balance-xor\nip link set dev eth0 master bond0\n\nThe reason is because when adding a interface under the lag it would go\nthrough all the ports and try to figure out which other ports are under\nthat lag interface. And the issue is that lan966x can have ports that are\nNULL pointer as they are not probed. So then iterating over these ports\nit would just crash as they are NULL pointers.\nThe fix consists in actually checking for NULL pointers before accessing\nsomething from the ports. Like we do in other places."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:02:53.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672"
},
{
"url": "https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c"
},
{
"url": "https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1"
},
{
"url": "https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e"
}
],
"title": "lan966x: Fix crash when adding interface under a lag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26723",
"datePublished": "2024-04-03T14:55:22.529Z",
"dateReserved": "2024-02-19T14:20:24.163Z",
"dateUpdated": "2026-05-11T20:02:53.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26726 (GCVE-0-2024-26726)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-11 20:02
VLAI
EPSS
Title
btrfs: don't drop extent_map for free space inode on write error
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't drop extent_map for free space inode on write error
While running the CI for an unrelated change I hit the following panic
with generic/648 on btrfs_holes_spacecache.
assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent_io.c:1385!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1
RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0
Call Trace:
<TASK>
extent_write_cache_pages+0x2ac/0x8f0
extent_writepages+0x87/0x110
do_writepages+0xd5/0x1f0
filemap_fdatawrite_wbc+0x63/0x90
__filemap_fdatawrite_range+0x5c/0x80
btrfs_fdatawrite_range+0x1f/0x50
btrfs_write_out_cache+0x507/0x560
btrfs_write_dirty_block_groups+0x32a/0x420
commit_cowonly_roots+0x21b/0x290
btrfs_commit_transaction+0x813/0x1360
btrfs_sync_file+0x51a/0x640
__x64_sys_fdatasync+0x52/0x90
do_syscall_64+0x9c/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76
This happens because we fail to write out the free space cache in one
instance, come back around and attempt to write it again. However on
the second pass through we go to call btrfs_get_extent() on the inode to
get the extent mapping. Because this is a new block group, and with the
free space inode we always search the commit root to avoid deadlocking
with the tree, we find nothing and return a EXTENT_MAP_HOLE for the
requested range.
This happens because the first time we try to write the space cache out
we hit an error, and on an error we drop the extent mapping. This is
normal for normal files, but the free space cache inode is special. We
always expect the extent map to be correct. Thus the second time
through we end up with a bogus extent map.
Since we're deprecating this feature, the most straightforward way to
fix this is to simply skip dropping the extent map range for this failed
range.
I shortened the test by using error injection to stress the area to make
it easier to reproduce. With this patch in place we no longer panic
with my error injection test.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
77cef2ec5484564eca6bd12a2b4a1e88fd766fbc , < 143842584c1237ebc248b2547c29d16bbe400a92
(git)
Affected: 77cef2ec5484564eca6bd12a2b4a1e88fd766fbc , < 02f2b95b00bf57d20320ee168b30fb7f3db8e555 (git) Affected: 77cef2ec5484564eca6bd12a2b4a1e88fd766fbc , < 7bddf18f474f166c19f91b2baf67bf7c5eda03f7 (git) Affected: 77cef2ec5484564eca6bd12a2b4a1e88fd766fbc , < a4b7741c8302e28073bfc6dd1c2e73598e5e535e (git) Affected: 77cef2ec5484564eca6bd12a2b4a1e88fd766fbc , < 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade (git) |
|
| Linux | Linux |
Affected:
3.12
Unaffected: 0 , < 3.12 (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T18:10:16.242115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:45.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "143842584c1237ebc248b2547c29d16bbe400a92",
"status": "affected",
"version": "77cef2ec5484564eca6bd12a2b4a1e88fd766fbc",
"versionType": "git"
},
{
"lessThan": "02f2b95b00bf57d20320ee168b30fb7f3db8e555",
"status": "affected",
"version": "77cef2ec5484564eca6bd12a2b4a1e88fd766fbc",
"versionType": "git"
},
{
"lessThan": "7bddf18f474f166c19f91b2baf67bf7c5eda03f7",
"status": "affected",
"version": "77cef2ec5484564eca6bd12a2b4a1e88fd766fbc",
"versionType": "git"
},
{
"lessThan": "a4b7741c8302e28073bfc6dd1c2e73598e5e535e",
"status": "affected",
"version": "77cef2ec5484564eca6bd12a2b4a1e88fd766fbc",
"versionType": "git"
},
{
"lessThan": "5571e41ec6e56e35f34ae9f5b3a335ef510e0ade",
"status": "affected",
"version": "77cef2ec5484564eca6bd12a2b4a1e88fd766fbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \u003cTASK\u003e\n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we\u0027re deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:02:57.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/143842584c1237ebc248b2547c29d16bbe400a92"
},
{
"url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555"
},
{
"url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7"
},
{
"url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e"
},
{
"url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade"
}
],
"title": "btrfs: don\u0027t drop extent_map for free space inode on write error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26726",
"datePublished": "2024-04-03T14:55:24.983Z",
"dateReserved": "2024-02-19T14:20:24.163Z",
"dateUpdated": "2026-05-11T20:02:57.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26727 (GCVE-0-2024-26727)
Vulnerability from cvelistv5 – Published: 2024-04-03 14:55 – Updated: 2026-05-23 15:37
VLAI
EPSS
Title
btrfs: do not ASSERT() if the newly created subvolume already got read
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not ASSERT() if the newly created subvolume already got read
[BUG]
There is a syzbot crash, triggered by the ASSERT() during subvolume
creation:
assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319
------------[ cut here ]------------
kernel BUG at fs/btrfs/disk-io.c:1319!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60
<TASK>
btrfs_get_new_fs_root+0xd3/0xf0
create_subvol+0xd02/0x1650
btrfs_mksubvol+0xe95/0x12b0
__btrfs_ioctl_snap_create+0x2f9/0x4f0
btrfs_ioctl_snap_create+0x16b/0x200
btrfs_ioctl+0x35f0/0x5cf0
__x64_sys_ioctl+0x19d/0x210
do_syscall_64+0x3f/0xe0
entry_SYSCALL_64_after_hwframe+0x63/0x6b
---[ end trace 0000000000000000 ]---
[CAUSE]
During create_subvol(), after inserting root item for the newly created
subvolume, we would trigger btrfs_get_new_fs_root() to get the
btrfs_root of that subvolume.
The idea here is, we have preallocated an anonymous device number for
the subvolume, thus we can assign it to the new subvolume.
But there is really nothing preventing things like backref walk to read
the new subvolume.
If that happens before we call btrfs_get_new_fs_root(), the subvolume
would be read out, with a new anonymous device number assigned already.
In that case, we would trigger ASSERT(), as we really expect no one to
read out that subvolume (which is not yet accessible from the fs).
But things like backref walk is still possible to trigger the read on
the subvolume.
Thus our assumption on the ASSERT() is not correct in the first place.
[FIX]
Fix it by removing the ASSERT(), and just free the @anon_dev, reset it
to 0, and continue.
If the subvolume tree is read out by something else, it should have
already get a new anon_dev assigned thus we only need to free the
preallocated one.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < 3f5d47eb163bceb1b9e613c9003bae5fefc0046f
(git)
Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < e31546b0f34af21738c4ceac47d662c00ee6382f (git) Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < 66b317a2fc45b2ef66527ee3f8fa08fb5beab88d (git) Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < 833775656d447c545133a744a0ed1e189ce61430 (git) Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < 5a172344bfdabb46458e03708735d7b1a918c468 (git) Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb (git) Affected: 917d608fe375041eb7f29befa6a6d7fd3cf32dde (git) Affected: 5.8.3 , < 5.9 (semver) |
|
| Linux | Linux |
Affected:
5.9
Unaffected: 0 , < 5.9 (semver) Unaffected: 5.10.210 , ≤ 5.10.* (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T19:28:59.725318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T19:29:08.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f5d47eb163bceb1b9e613c9003bae5fefc0046f",
"status": "affected",
"version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
"versionType": "git"
},
{
"lessThan": "e31546b0f34af21738c4ceac47d662c00ee6382f",
"status": "affected",
"version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
"versionType": "git"
},
{
"lessThan": "66b317a2fc45b2ef66527ee3f8fa08fb5beab88d",
"status": "affected",
"version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
"versionType": "git"
},
{
"lessThan": "833775656d447c545133a744a0ed1e189ce61430",
"status": "affected",
"version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
"versionType": "git"
},
{
"lessThan": "5a172344bfdabb46458e03708735d7b1a918c468",
"status": "affected",
"version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
"versionType": "git"
},
{
"lessThan": "e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb",
"status": "affected",
"version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
"versionType": "git"
},
{
"status": "affected",
"version": "917d608fe375041eb7f29befa6a6d7fd3cf32dde",
"versionType": "git"
},
{
"lessThan": "5.9",
"status": "affected",
"version": "5.8.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/disk-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \u003cTASK\u003e\n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:37:21.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f"
},
{
"url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f"
},
{
"url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d"
},
{
"url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430"
},
{
"url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468"
},
{
"url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb"
}
],
"title": "btrfs: do not ASSERT() if the newly created subvolume already got read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26727",
"datePublished": "2024-04-03T14:55:25.805Z",
"dateReserved": "2024-02-19T14:20:24.164Z",
"dateUpdated": "2026-05-23T15:37:21.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26731 (GCVE-0-2024-26731)
Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2026-05-23 15:37
VLAI
EPSS
Title
bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()
syzbot reported the following NULL pointer dereference issue [1]:
BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
RIP: 0010:0x0
[...]
Call Trace:
<TASK>
sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230
unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called
concurrently, psock->saved_data_ready can be NULL, causing the above issue.
This patch fixes this issue by calling the appropriate data ready function
using the sk_psock_data_ready() helper and protecting it from concurrency
with sk->sk_callback_lock.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dd628fc697ee59b76bd3877c4bd13f07ccc3776f , < 4588b13abcbd561ec67f5b3c1cb2eff690990a54
(git)
Affected: 6df7f764cd3cf5a03a4a47b23be47e57e41fcd85 , < 9b099ed46dcaf1403c531ff02c3d7400fa37fa26 (git) Affected: 6df7f764cd3cf5a03a4a47b23be47e57e41fcd85 , < d61608a4e394f23e0dca099df9eb8e555453d949 (git) Affected: 6df7f764cd3cf5a03a4a47b23be47e57e41fcd85 , < 4cd12c6065dfcdeba10f49949bffcf383b3952d8 (git) Affected: d3cbd7c571446a876aefd8320500300b2c951c58 (git) Affected: 6.1.32 , < 6.1.80 (semver) Affected: 6.3.6 , < 6.4 (semver) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.1.80 , ≤ 6.1.* (semver) Unaffected: 6.6.19 , ≤ 6.6.* (semver) Unaffected: 6.7.7 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T18:10:44.552667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T21:26:34.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.980Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4588b13abcbd561ec67f5b3c1cb2eff690990a54",
"status": "affected",
"version": "dd628fc697ee59b76bd3877c4bd13f07ccc3776f",
"versionType": "git"
},
{
"lessThan": "9b099ed46dcaf1403c531ff02c3d7400fa37fa26",
"status": "affected",
"version": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85",
"versionType": "git"
},
{
"lessThan": "d61608a4e394f23e0dca099df9eb8e555453d949",
"status": "affected",
"version": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85",
"versionType": "git"
},
{
"lessThan": "4cd12c6065dfcdeba10f49949bffcf383b3952d8",
"status": "affected",
"version": "6df7f764cd3cf5a03a4a47b23be47e57e41fcd85",
"versionType": "git"
},
{
"status": "affected",
"version": "d3cbd7c571446a876aefd8320500300b2c951c58",
"versionType": "git"
},
{
"lessThan": "6.1.80",
"status": "affected",
"version": "6.1.32",
"versionType": "semver"
},
{
"lessThan": "6.4",
"status": "affected",
"version": "6.3.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "6.1.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n \u003cTASK\u003e\n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock-\u003esaved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk-\u003esk_callback_lock."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:37:23.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54"
},
{
"url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26"
},
{
"url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949"
},
{
"url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8"
}
],
"title": "bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26731",
"datePublished": "2024-04-03T17:00:18.823Z",
"dateReserved": "2024-02-19T14:20:24.164Z",
"dateUpdated": "2026-05-23T15:37:23.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26733 (GCVE-0-2024-26733)
Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2026-05-11 20:03
VLAI
EPSS
Title
arp: Prevent overflow in arp_req_get().
Summary
In the Linux kernel, the following vulnerability has been resolved:
arp: Prevent overflow in arp_req_get().
syzkaller reported an overflown write in arp_req_get(). [0]
When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.
The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
the sa_data buffer is just 14 bytes.
In the splat below, 2 bytes are overflown to the next int field,
arp_flags. We initialise the field just after the memcpy(), so it's
not a problem.
However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
in arp_ioctl() before calling arp_req_get().
To avoid the overflow, let's limit the max length of memcpy().
Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
array in struct sockaddr") just silenced syzkaller.
[0]:
memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Modules linked in:
CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
sock_do_ioctl+0xdf/0x260 net/socket.c:1204
sock_ioctl+0x3ef/0x650 net/socket.c:1321
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x64/0xce
RIP: 0033:0x7f172b262b8d
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
</TASK>
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 97eaa2955db4120ce6ec2ef123e860bc32232c50 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f119f2325ba70cbfdec701000dcad4d88805d5b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a3f2c083cb575d80a7627baf3339e78fedccbb91 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a7d6027790acea24446ddd6632d394096c0f4667 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.10.211 , ≤ 5.10.* (semver) Unaffected: 5.15.150 , ≤ 5.15.* (semver) Unaffected: 6.1.80 , ≤ 6.1.* (semver) Unaffected: 6.6.19 , ≤ 6.6.* (semver) Unaffected: 6.7.7 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-01T17:03:11.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241101-0013/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:52:00.464269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:20.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/arp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97eaa2955db4120ce6ec2ef123e860bc32232c50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f119f2325ba70cbfdec701000dcad4d88805d5b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a3f2c083cb575d80a7627baf3339e78fedccbb91",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a7d6027790acea24446ddd6632d394096c0f4667",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/arp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh-\u003eha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it\u0027s\nnot a problem.\n\nHowever, when dev-\u003eaddr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let\u0027s limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r-\u003earp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb \u003c0f\u003e 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:03:05.779Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587"
},
{
"url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50"
},
{
"url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0"
},
{
"url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91"
},
{
"url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a"
},
{
"url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667"
}
],
"title": "arp: Prevent overflow in arp_req_get().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26733",
"datePublished": "2024-04-03T17:00:20.437Z",
"dateReserved": "2024-02-19T14:20:24.165Z",
"dateUpdated": "2026-05-11T20:03:05.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…