Vulnerability-Lookup

CERTFR-2024-AVI-0381

Vulnerability from certfr_avis - Published: 2024-05-10 - Updated: 2024-05-10

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Debian	N/A	Debian bookworm (stable) versions antérieures à 6.1.90-1
	Debian	N/A	Debian bullseye (old) versions antérieures à 5.10.216-1

References

Title

Publication Time

CVE-2024-26787 (GCVE-0-2024-26787)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-12 11:49

Title

mmc: mmci: stm32: fix DMA API overlapping mappings warning

Summary

In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/0224cbc53ba82b84a…
https://git.kernel.org/stable/c/5ae5060e17a3fc38e…
https://git.kernel.org/stable/c/70af82bb9c897faa2…
https://git.kernel.org/stable/c/176e66269f0de3273…
https://git.kernel.org/stable/c/d610a307225951929…
https://git.kernel.org/stable/c/6b1ba3f9040be5efc…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 46b723dd867d599420fb640c0eaf2a866ef721d4 , < 0224cbc53ba82b84affa7619b6d1b1a254bc2c53 (git) Affected: 46b723dd867d599420fb640c0eaf2a866ef721d4 , < 5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c (git) Affected: 46b723dd867d599420fb640c0eaf2a866ef721d4 , < 70af82bb9c897faa25a44e4181f36c60312b71ef (git) Affected: 46b723dd867d599420fb640c0eaf2a866ef721d4 , < 176e66269f0de327375fc0ea51c12c2f5a97e4c4 (git) Affected: 46b723dd867d599420fb640c0eaf2a866ef721d4 , < d610a307225951929b9dff807788439454476f85 (git) Affected: 46b723dd867d599420fb640c0eaf2a866ef721d4 , < 6b1ba3f9040be5efc4396d86c9752cdc564730be (git)
Linux	Linux	Affected: 4.20 Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.213 , ≤ 5.10.* (semver) Unaffected: 5.15.152 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux subsystem	Affected: 0 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.461Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26787",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:51:02.092511Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:51.566Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:49:26.809Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mmc/host/mmci_stm32_sdmmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0224cbc53ba82b84affa7619b6d1b1a254bc2c53",
              "status": "affected",
              "version": "46b723dd867d599420fb640c0eaf2a866ef721d4",
              "versionType": "git"
            },
            {
              "lessThan": "5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c",
              "status": "affected",
              "version": "46b723dd867d599420fb640c0eaf2a866ef721d4",
              "versionType": "git"
            },
            {
              "lessThan": "70af82bb9c897faa25a44e4181f36c60312b71ef",
              "status": "affected",
              "version": "46b723dd867d599420fb640c0eaf2a866ef721d4",
              "versionType": "git"
            },
            {
              "lessThan": "176e66269f0de327375fc0ea51c12c2f5a97e4c4",
              "status": "affected",
              "version": "46b723dd867d599420fb640c0eaf2a866ef721d4",
              "versionType": "git"
            },
            {
              "lessThan": "d610a307225951929b9dff807788439454476f85",
              "status": "affected",
              "version": "46b723dd867d599420fb640c0eaf2a866ef721d4",
              "versionType": "git"
            },
            {
              "lessThan": "6b1ba3f9040be5efc4396d86c9752cdc564730be",
              "status": "affected",
              "version": "46b723dd867d599420fb640c0eaf2a866ef721d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mmc/host/mmci_stm32_sdmmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.213",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.152",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.213",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.152",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren\u0027t supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:10.919Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be"
        }
      ],
      "title": "mmc: mmci: stm32: fix DMA API overlapping mappings warning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26787",
    "datePublished": "2024-04-04T08:20:19.751Z",
    "dateReserved": "2024-02-19T14:20:24.178Z",
    "dateUpdated": "2026-05-12T11:49:26.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26788 (GCVE-0-2024-26788)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-11 20:04

Title

dmaengine: fsl-qdma: init irq after reg initialization

Summary

In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: init irq after reg initialization Initialize the qDMA irqs after the registers are configured so that interrupts that may have been pending from a primary kernel don't get processed by the irq handler before it is ready to and cause panic with the following trace: Call trace: fsl_qdma_queue_handler+0xf8/0x3e8 __handle_irq_event_percpu+0x78/0x2b0 handle_irq_event_percpu+0x1c/0x68 handle_irq_event+0x44/0x78 handle_fasteoi_irq+0xc8/0x178 generic_handle_irq+0x24/0x38 __handle_domain_irq+0x90/0x100 gic_handle_irq+0x5c/0xb8 el1_irq+0xb8/0x180 _raw_spin_unlock_irqrestore+0x14/0x40 __setup_irq+0x4bc/0x798 request_threaded_irq+0xd8/0x190 devm_request_threaded_irq+0x74/0xe8 fsl_qdma_probe+0x4d4/0xca8 platform_drv_probe+0x50/0xa0 really_probe+0xe0/0x3f8 driver_probe_device+0x64/0x130 device_driver_attach+0x6c/0x78 __driver_attach+0xbc/0x158 bus_for_each_dev+0x5c/0x98 driver_attach+0x20/0x28 bus_add_driver+0x158/0x220 driver_register+0x60/0x110 __platform_driver_register+0x44/0x50 fsl_qdma_driver_init+0x18/0x20 do_one_initcall+0x48/0x258 kernel_init_freeable+0x1a4/0x23c kernel_init+0x10/0xf8 ret_from_fork+0x10/0x18

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/3cc5fb824c2125aa3…
https://git.kernel.org/stable/c/9579a21e99fe8dab2…
https://git.kernel.org/stable/c/4529c084a320be78f…
https://git.kernel.org/stable/c/474d521da890b3e35…
https://git.kernel.org/stable/c/a69c8bbb946936ac4…
https://git.kernel.org/stable/c/677102a930643c31f…
https://git.kernel.org/stable/c/87a39071e0b639f45…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 3cc5fb824c2125aa3740d905b3e5b378c8a09478 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 9579a21e99fe8dab22a253050ddff28d340d74e1 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 4529c084a320be78ff2c5e64297ae998c6fdf66b (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 474d521da890b3e3585335fb80a6044cb2553d99 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < a69c8bbb946936ac4eb6a6ae1e849435aa8d947d (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 677102a930643c31f1b4c512b041407058bdfef8 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 87a39071e0b639f45e05d296cc0538eef44ec0bd (git)
Linux	Linux	Affected: 5.1 Unaffected: 0 , < 5.1 (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26788",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-04T15:30:20.690408Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:48:46.809Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.469Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/fsl-qdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3cc5fb824c2125aa3740d905b3e5b378c8a09478",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "9579a21e99fe8dab22a253050ddff28d340d74e1",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "4529c084a320be78ff2c5e64297ae998c6fdf66b",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "474d521da890b3e3585335fb80a6044cb2553d99",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "a69c8bbb946936ac4eb6a6ae1e849435aa8d947d",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "677102a930643c31f1b4c512b041407058bdfef8",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "87a39071e0b639f45e05d296cc0538eef44ec0bd",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/fsl-qdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don\u0027t get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n  Call trace:\n   fsl_qdma_queue_handler+0xf8/0x3e8\n   __handle_irq_event_percpu+0x78/0x2b0\n   handle_irq_event_percpu+0x1c/0x68\n   handle_irq_event+0x44/0x78\n   handle_fasteoi_irq+0xc8/0x178\n   generic_handle_irq+0x24/0x38\n   __handle_domain_irq+0x90/0x100\n   gic_handle_irq+0x5c/0xb8\n   el1_irq+0xb8/0x180\n   _raw_spin_unlock_irqrestore+0x14/0x40\n   __setup_irq+0x4bc/0x798\n   request_threaded_irq+0xd8/0x190\n   devm_request_threaded_irq+0x74/0xe8\n   fsl_qdma_probe+0x4d4/0xca8\n   platform_drv_probe+0x50/0xa0\n   really_probe+0xe0/0x3f8\n   driver_probe_device+0x64/0x130\n   device_driver_attach+0x6c/0x78\n   __driver_attach+0xbc/0x158\n   bus_for_each_dev+0x5c/0x98\n   driver_attach+0x20/0x28\n   bus_add_driver+0x158/0x220\n   driver_register+0x60/0x110\n   __platform_driver_register+0x44/0x50\n   fsl_qdma_driver_init+0x18/0x20\n   do_one_initcall+0x48/0x258\n   kernel_init_freeable+0x1a4/0x23c\n   kernel_init+0x10/0xf8\n   ret_from_fork+0x10/0x18"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:12.028Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478"
        },
        {
          "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b"
        },
        {
          "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99"
        },
        {
          "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d"
        },
        {
          "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8"
        },
        {
          "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd"
        }
      ],
      "title": "dmaengine: fsl-qdma: init irq after reg initialization",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26788",
    "datePublished": "2024-04-04T08:20:20.410Z",
    "dateReserved": "2024-02-19T14:20:24.178Z",
    "dateUpdated": "2026-05-11T20:04:12.028Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26790 (GCVE-0-2024-26790)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-11 20:04

Title

dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read

Summary

In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/518d78b4fac68cac2…
https://git.kernel.org/stable/c/bb3a06e9b9a30e33d…
https://git.kernel.org/stable/c/106c1ac953a66556e…
https://git.kernel.org/stable/c/237ecf1afe6c22534…
https://git.kernel.org/stable/c/5b696e9c388251f1c…
https://git.kernel.org/stable/c/ad2f8920c314e0a2d…
https://git.kernel.org/stable/c/9d739bccf261dd93e…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 518d78b4fac68cac29a263554d7f3b19da99d0da (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < bb3a06e9b9a30e33d96aadc0e077be095a4f8580 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 106c1ac953a66556ec77456c46e818208d3a9bce (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 5b696e9c388251f1c7373be92293769a489fd367 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < ad2f8920c314e0a2d9e984fc94b729eca3cda471 (git) Affected: b092529e0aa09829a6404424ce167bf3ce3235e2 , < 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e (git)
Linux	Linux	Affected: 5.1 Unaffected: 0 , < 5.1 (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26790",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-04T16:24:55.798835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:16.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.493Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/fsl-qdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "518d78b4fac68cac29a263554d7f3b19da99d0da",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "bb3a06e9b9a30e33d96aadc0e077be095a4f8580",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "106c1ac953a66556ec77456c46e818208d3a9bce",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "5b696e9c388251f1c7373be92293769a489fd367",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "ad2f8920c314e0a2d9e984fc94b729eca3cda471",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            },
            {
              "lessThan": "9d739bccf261dd93ec1babf82f5c5d71dd4caa3e",
              "status": "affected",
              "version": "b092529e0aa09829a6404424ce167bf3ce3235e2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/dma/fsl-qdma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:14.312Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580"
        },
        {
          "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce"
        },
        {
          "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e"
        }
      ],
      "title": "dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26790",
    "datePublished": "2024-04-04T08:20:21.742Z",
    "dateReserved": "2024-02-19T14:20:24.178Z",
    "dateUpdated": "2026-05-11T20:04:14.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26791 (GCVE-0-2024-26791)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-11 20:04

Title

btrfs: dev-replace: properly validate device names

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: dev-replace: properly validate device names There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and fixed in a different way by Edward Adam Davis (see links).

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/11d7a2e429c02d51e…
https://git.kernel.org/stable/c/c6652e20d7d783d06…
https://git.kernel.org/stable/c/2886fe308a83968dd…
https://git.kernel.org/stable/c/ab2d68655d0f04650…
https://git.kernel.org/stable/c/f590040ce2b712177…
https://git.kernel.org/stable/c/b1690ced4d2d8b288…
https://git.kernel.org/stable/c/343eecb4ff49a7b1c…
https://git.kernel.org/stable/c/9845664b9ee47ce7e…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < 11d7a2e429c02d51e2dc90713823ea8b8d3d3a84 (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < c6652e20d7d783d060fe5f987eac7b5cabe31311 (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < 2886fe308a83968dde252302884a1e63351cf16d (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < ab2d68655d0f04650bef09fee948ff80597c5fb9 (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < f590040ce2b712177306b03c2a63b16f7d48d3c8 (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < b1690ced4d2d8b28868811fb81cd33eee5aefee1 (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < 343eecb4ff49a7b1cc1dfe86958a805cf2341cfb (git) Affected: e93c89c1aaaaaec3487c4c18dd02360371790722 , < 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 4.19.309 , ≤ 4.19.* (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.455Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26791",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:50:58.820208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:50.626Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/dev-replace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11d7a2e429c02d51e2dc90713823ea8b8d3d3a84",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "c6652e20d7d783d060fe5f987eac7b5cabe31311",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "2886fe308a83968dde252302884a1e63351cf16d",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "ab2d68655d0f04650bef09fee948ff80597c5fb9",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "f590040ce2b712177306b03c2a63b16f7d48d3c8",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "b1690ced4d2d8b28868811fb81cd33eee5aefee1",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "343eecb4ff49a7b1cc1dfe86958a805cf2341cfb",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            },
            {
              "lessThan": "9845664b9ee47ce7ee7ea93caf47d39a9d4552c4",
              "status": "affected",
              "version": "e93c89c1aaaaaec3487c4c18dd02360371790722",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/dev-replace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.309",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.309",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere\u0027s a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:15.639Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311"
        },
        {
          "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1"
        },
        {
          "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb"
        },
        {
          "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4"
        }
      ],
      "title": "btrfs: dev-replace: properly validate device names",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26791",
    "datePublished": "2024-04-04T08:20:22.374Z",
    "dateReserved": "2024-02-19T14:20:24.178Z",
    "dateUpdated": "2026-05-11T20:04:15.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26793 (GCVE-0-2024-26793)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-11 20:04

Title

gtp: fix use-after-free and null-ptr-deref in gtp_newlink()

Summary

In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() The gtp_link_ops operations structure for the subsystem must be registered after registering the gtp_net_ops pernet operations structure. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: [ 1010.702740] gtp: GTP module unloaded [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 [ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 [ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 [ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 [ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 [ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 [ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 [ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 [ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 [ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 [ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 [ 1010.715968] PKRU: 55555554 [ 1010.715972] Call Trace: [ 1010.715985] ? __die_body.cold+0x1a/0x1f [ 1010.715995] ? die_addr+0x43/0x70 [ 1010.716002] ? exc_general_protection+0x199/0x2f0 [ 1010.716016] ? asm_exc_general_protection+0x1e/0x30 [ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp] [ 1010.716042] __rtnl_newlink+0x1063/0x1700 [ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0 [ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0 [ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0 [ 1010.716076] ? __kernel_text_address+0x56/0xa0 [ 1010.716084] ? unwind_get_return_address+0x5a/0xa0 [ 1010.716091] ? create_prof_cpu_mask+0x30/0x30 [ 1010.716098] ? arch_stack_walk+0x9e/0xf0 [ 1010.716106] ? stack_trace_save+0x91/0xd0 [ 1010.716113] ? stack_trace_consume_entry+0x170/0x170 [ 1010.716121] ? __lock_acquire+0x15c5/0x5380 [ 1010.716139] ? mark_held_locks+0x9e/0xe0 [ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0 [ 1010.716155] ? __rtnl_newlink+0x1700/0x1700 [ 1010.716160] rtnl_newlink+0x69/0xa0 [ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50 [ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0 [ 1010.716179] ? lock_acquire+0x1fe/0x560 [ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50 [ 1010.716196] netlink_rcv_skb+0x14d/0x440 [ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0 [ 1010.716208] ? netlink_ack+0xab0/0xab0 [ 1010.716213] ? netlink_deliver_tap+0x202/0xd50 [ 1010.716220] ? netlink_deliver_tap+0x218/0xd50 [ 1010.716226] ? __virt_addr_valid+0x30b/0x590 [ 1010.716233] netlink_unicast+0x54b/0x800 [ 1010.716240] ? netlink_attachskb+0x870/0x870 [ 1010.716248] ? __check_object_size+0x2de/0x3b0 [ 1010.716254] netlink_sendmsg+0x938/0xe40 [ 1010.716261] ? netlink_unicast+0x800/0x800 [ 1010.716269] ? __import_iovec+0x292/0x510 [ 1010.716276] ? netlink_unicast+0x800/0x800 [ 1010.716284] __sock_sendmsg+0x159/0x190 [ 1010.716290] ____sys_sendmsg+0x712/0x880 [ 1010.716297] ? sock_write_iter+0x3d0/0x3d0 [ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270 [ 1010.716309] ? lock_acquire+0x1fe/0x560 [ 1010.716315] ? drain_array_locked+0x90/0x90 [ 1010.716324] ___sys_sendmsg+0xf8/0x170 [ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170 [ 1010.716337] ? lockdep_init_map ---truncated---

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/01129059d5141d62f…
https://git.kernel.org/stable/c/ec92aa2cab6f0048f…
https://git.kernel.org/stable/c/e668b92a3a0142992…
https://git.kernel.org/stable/c/9376d059a705c5dfa…
https://git.kernel.org/stable/c/abd32d7f5c0294c1b…
https://git.kernel.org/stable/c/93dd420bc41531c9a…
https://git.kernel.org/stable/c/5366969a19a8a0d2f…
https://git.kernel.org/stable/c/616d82c3cfa2a2146…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < 01129059d5141d62fae692f7a336ae3bc712d3eb (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6 (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < e668b92a3a01429923fd5ca13e99642aab47de69 (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < 9376d059a705c5dfaac566c2d09891242013ae16 (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < abd32d7f5c0294c1b2454c5a3b13b18446bac627 (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < 93dd420bc41531c9a31498b9538ca83ba6ec191e (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < 5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8 (git) Affected: 459aa660eb1d8ce67080da1983bb81d716aa5a69 , < 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e (git)
Linux	Linux	Affected: 4.7 Unaffected: 0 , < 4.7 (semver) Unaffected: 4.19.309 , ≤ 4.19.* (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.475Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26793",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:50:52.672497Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:48.724Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "01129059d5141d62fae692f7a336ae3bc712d3eb",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "e668b92a3a01429923fd5ca13e99642aab47de69",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "9376d059a705c5dfaac566c2d09891242013ae16",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "abd32d7f5c0294c1b2454c5a3b13b18446bac627",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "93dd420bc41531c9a31498b9538ca83ba6ec191e",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            },
            {
              "lessThan": "616d82c3cfa2a2146dd7e3ae47bda7e877ee549e",
              "status": "affected",
              "version": "459aa660eb1d8ce67080da1983bb81d716aa5a69",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.309",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.309",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit \u0027general protection fault in gtp_genl_dump_pdp\u0027 bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS:  00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985]  ? __die_body.cold+0x1a/0x1f\n[ 1010.715995]  ? die_addr+0x43/0x70\n[ 1010.716002]  ? exc_general_protection+0x199/0x2f0\n[ 1010.716016]  ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026]  ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034]  ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042]  __rtnl_newlink+0x1063/0x1700\n[ 1010.716051]  ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063]  ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070]  ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076]  ? __kernel_text_address+0x56/0xa0\n[ 1010.716084]  ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091]  ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098]  ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106]  ? stack_trace_save+0x91/0xd0\n[ 1010.716113]  ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121]  ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139]  ? mark_held_locks+0x9e/0xe0\n[ 1010.716148]  ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155]  ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160]  rtnl_newlink+0x69/0xa0\n[ 1010.716166]  rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172]  ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179]  ? lock_acquire+0x1fe/0x560\n[ 1010.716188]  ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196]  netlink_rcv_skb+0x14d/0x440\n[ 1010.716202]  ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208]  ? netlink_ack+0xab0/0xab0\n[ 1010.716213]  ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220]  ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226]  ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233]  netlink_unicast+0x54b/0x800\n[ 1010.716240]  ? netlink_attachskb+0x870/0x870\n[ 1010.716248]  ? __check_object_size+0x2de/0x3b0\n[ 1010.716254]  netlink_sendmsg+0x938/0xe40\n[ 1010.716261]  ? netlink_unicast+0x800/0x800\n[ 1010.716269]  ? __import_iovec+0x292/0x510\n[ 1010.716276]  ? netlink_unicast+0x800/0x800\n[ 1010.716284]  __sock_sendmsg+0x159/0x190\n[ 1010.716290]  ____sys_sendmsg+0x712/0x880\n[ 1010.716297]  ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304]  ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309]  ? lock_acquire+0x1fe/0x560\n[ 1010.716315]  ? drain_array_locked+0x90/0x90\n[ 1010.716324]  ___sys_sendmsg+0xf8/0x170\n[ 1010.716331]  ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337]  ? lockdep_init_map\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:17.979Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69"
        },
        {
          "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16"
        },
        {
          "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627"
        },
        {
          "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e"
        }
      ],
      "title": "gtp: fix use-after-free and null-ptr-deref in gtp_newlink()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26793",
    "datePublished": "2024-04-04T08:20:23.771Z",
    "dateReserved": "2024-02-19T14:20:24.178Z",
    "dateUpdated": "2026-05-11T20:04:17.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26795 (GCVE-0-2024-26795)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-06-01 16:04

Title

riscv: Sparse-Memory/vmemmap out-of-bounds fix

Summary

In the Linux kernel, the following vulnerability has been resolved: riscv: Sparse-Memory/vmemmap out-of-bounds fix Offset vmemmap so that the first page of vmemmap will be mapped to the first page of physical memory in order to ensure that vmemmap’s bounds will be respected during pfn_to_page()/page_to_pfn() operations. The conversion macros will produce correct SV39/48/57 addresses for every possible/valid DRAM_BASE inside the physical memory limits. v2:Address Alex's comments

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/5941a90c55d3bfba7…
https://git.kernel.org/stable/c/8310080799b40fd9f…
https://git.kernel.org/stable/c/a278d5c60f21aa15d…
https://git.kernel.org/stable/c/2a1728c15ec4f45ed…
https://git.kernel.org/stable/c/a11dd49dcb9376776…
https://git.kernel.org/stable/c/8af1c121b01020418…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: d95f1a542c3df396137afa217ef9bd39cb8931ca , < 5941a90c55d3bfba732b32208d58d997600b44ef (git) Affected: d95f1a542c3df396137afa217ef9bd39cb8931ca , < 8310080799b40fd9f2a8b808c657269678c149af (git) Affected: d95f1a542c3df396137afa217ef9bd39cb8931ca , < a278d5c60f21aa15d540abb2f2da6e6d795c3e6e (git) Affected: d95f1a542c3df396137afa217ef9bd39cb8931ca , < 2a1728c15ec4f45ed9248ae22f626541c179bfbe (git) Affected: d95f1a542c3df396137afa217ef9bd39cb8931ca , < a11dd49dcb9376776193e15641f84fcc1e5980c9 (git)
Linux	Linux	Affected: 5.4 Unaffected: 0 , < 5.4 (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T19:27:22.580328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T19:27:29.143Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.470Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/pgtable.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5941a90c55d3bfba732b32208d58d997600b44ef",
              "status": "affected",
              "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca",
              "versionType": "git"
            },
            {
              "lessThan": "8310080799b40fd9f2a8b808c657269678c149af",
              "status": "affected",
              "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca",
              "versionType": "git"
            },
            {
              "lessThan": "a278d5c60f21aa15d540abb2f2da6e6d795c3e6e",
              "status": "affected",
              "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca",
              "versionType": "git"
            },
            {
              "lessThan": "2a1728c15ec4f45ed9248ae22f626541c179bfbe",
              "status": "affected",
              "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca",
              "versionType": "git"
            },
            {
              "lessThan": "a11dd49dcb9376776193e15641f84fcc1e5980c9",
              "status": "affected",
              "version": "d95f1a542c3df396137afa217ef9bd39cb8931ca",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/include/asm/pgtable.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap\u2019s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex\u0027s comments"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-01T16:04:29.872Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af"
        },
        {
          "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe"
        },
        {
          "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9"
        }
      ],
      "title": "riscv: Sparse-Memory/vmemmap out-of-bounds fix",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26795",
    "datePublished": "2024-04-04T08:20:25.063Z",
    "dateReserved": "2024-02-19T14:20:24.178Z",
    "dateUpdated": "2026-06-01T16:04:29.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26801 (GCVE-0-2024-26801)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-11 20:04

Title

Bluetooth: Avoid potential use-after-free in hci_error_reset

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/e0b278650f07acf2e…
https://git.kernel.org/stable/c/98fb98fd37e42fd4c…
https://git.kernel.org/stable/c/6dd0a9dfa99f8990a…
https://git.kernel.org/stable/c/da4569d450b193e39…
https://git.kernel.org/stable/c/45085686b9559bfbe…
https://git.kernel.org/stable/c/2ab9a19d896f5a0dd…
https://git.kernel.org/stable/c/dd594cdc24f2e48da…
https://git.kernel.org/stable/c/2449007d3f73b2842…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < e0b278650f07acf2e0932149183458468a731c03 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 98fb98fd37e42fd4ce13ff657ea64503e24b6090 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < da4569d450b193e39e87119fd316c0291b585d14 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 45085686b9559bfbe3a4f41d3d695a520668f5e1 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 2ab9a19d896f5a0dd386e1f001c5309bc35f433b (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < dd594cdc24f2e48dab441732e6dfcafd6b0711d1 (git) Affected: c7741d16a57cbf97eebe53f27e8216b1ff20e20c , < 2449007d3f73b2842c9734f45f0aadb522daf592 (git)
Linux	Linux	Affected: 4.0 Unaffected: 0 , < 4.0 (semver) Unaffected: 4.19.309 , ≤ 4.19.* (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.522Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T19:27:12.303916Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T19:27:19.532Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e0b278650f07acf2e0932149183458468a731c03",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "98fb98fd37e42fd4ce13ff657ea64503e24b6090",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "da4569d450b193e39e87119fd316c0291b585d14",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "45085686b9559bfbe3a4f41d3d695a520668f5e1",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "2ab9a19d896f5a0dd386e1f001c5309bc35f433b",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "dd594cdc24f2e48dab441732e6dfcafd6b0711d1",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            },
            {
              "lessThan": "2449007d3f73b2842c9734f45f0aadb522daf592",
              "status": "affected",
              "version": "c7741d16a57cbf97eebe53f27e8216b1ff20e20c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.309",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.309",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere\u0027s the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth \u003cHASH:3b4a6\u003e]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth \u003cHASH:3b4a 6\u003e]\n   hci_error_reset+0x4f/0xa4 [bluetooth \u003cHASH:3b4a 6\u003e]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:26.136Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
        },
        {
          "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
        },
        {
          "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
        }
      ],
      "title": "Bluetooth: Avoid potential use-after-free in hci_error_reset",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26801",
    "datePublished": "2024-04-04T08:20:29.211Z",
    "dateReserved": "2024-02-19T14:20:24.179Z",
    "dateUpdated": "2026-05-11T20:04:26.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26804 (GCVE-0-2024-26804)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-23 15:38

Title

net: ip_tunnel: prevent perpetual headroom growth

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb->data points past skb->head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. The negative value is returned because skb->head and skb->data distance is more than 64k and skb->network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev->needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel. The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future output device, rt.dev->needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0->needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0->needed_headroom gets inflated because previous packets' ipip0 step incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0->needed_headroom grows until post-expand-head reallocations result in a skb->head/data distance of more than 64k. Once that happens, skb->network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb->data point to a memory location outside skb->head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-416 - Use After Free

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/f81e94d2dcd239713…
https://git.kernel.org/stable/c/2e95350fe9db9d53c…
https://git.kernel.org/stable/c/afec0c5cd2ed71ca9…
https://git.kernel.org/stable/c/ab63de24ebea36fe7…
https://git.kernel.org/stable/c/a0a1db40b23e8ff86…
https://git.kernel.org/stable/c/049d7989c67e8dd50…
https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < f81e94d2dcd2397137edcb8b85f4c5bed5d22383 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < 2e95350fe9db9d53c701075060ac8ac883b68aee (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < afec0c5cd2ed71ca95a8b36a5e6d03333bf34282 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < ab63de24ebea36fe73ac7121738595d704b66d96 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9 (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < 049d7989c67e8dd50f07a2096dbafdb41331fb9b (git) Affected: 243aad830e8a4cdda261626fbaeddde16b08d04a , < 5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f (git) Affected: 03017375b0122453e6dda833ff7bd4191915def5 (git) Affected: 2.6.33.2 , < 2.6.34 (semver)
Linux	Linux	Affected: 2.6.34 Unaffected: 0 , < 2.6.34 (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26804",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T16:26:17.359512Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T16:40:15.613Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.557Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ip_tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f81e94d2dcd2397137edcb8b85f4c5bed5d22383",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "lessThan": "2e95350fe9db9d53c701075060ac8ac883b68aee",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "lessThan": "afec0c5cd2ed71ca95a8b36a5e6d03333bf34282",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "lessThan": "ab63de24ebea36fe73ac7121738595d704b66d96",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "lessThan": "a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "lessThan": "049d7989c67e8dd50f07a2096dbafdb41331fb9b",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "lessThan": "5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f",
              "status": "affected",
              "version": "243aad830e8a4cdda261626fbaeddde16b08d04a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "03017375b0122453e6dda833ff7bd4191915def5",
              "versionType": "git"
            },
            {
              "lessThan": "2.6.34",
              "status": "affected",
              "version": "2.6.33.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ip_tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.33.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb-\u003edata points past skb-\u003ehead allocated area.\nThis is because neigh layer does:\n  __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned.  IOW, we skb-\u003edata gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb-\u003ehead and skb-\u003edata distance is\nmore than 64k and skb-\u003enetwork_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev-\u003eneeded_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel.  The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0-\u003eneeded_headroom based on the future\noutput device, rt.dev-\u003eneeded_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0-\u003eneeded_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0-\u003eneeded_headroom gets inflated because previous packets\u0027 ipip0 step\nincremented rt-\u003edev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0-\u003eneeded_headroom grows until\npost-expand-head reallocations result in a skb-\u003ehead/data distance of\nmore than 64k.\n\nOnce that happens, skb-\u003enetwork_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb-\u003edata point to a memory location outside\nskb-\u003ehead area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:38:06.927Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee"
        },
        {
          "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f"
        }
      ],
      "title": "net: ip_tunnel: prevent perpetual headroom growth",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26804",
    "datePublished": "2024-04-04T08:20:31.305Z",
    "dateReserved": "2024-02-19T14:20:24.179Z",
    "dateUpdated": "2026-05-23T15:38:06.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26805 (GCVE-0-2024-26805)

Vulnerability from cvelistv5 – Published: 2024-04-04 08:20 – Updated: 2026-05-23 15:38

Title

netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter

Summary

In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated---

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/ec343a55b687a452f…
https://git.kernel.org/stable/c/9ae51361da43270f4…
https://git.kernel.org/stable/c/f19d1f98e60e68b11…
https://git.kernel.org/stable/c/c71ed29d15b1a1ed6…
https://git.kernel.org/stable/c/0b27bf4c494d61e56…
https://git.kernel.org/stable/c/d3ada42e534a83b61…
https://git.kernel.org/stable/c/59fc3e3d049e39e7d…
https://git.kernel.org/stable/c/661779e1fcafe1b74…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1853c949646005b5959c483becde86608f548f24 , < ec343a55b687a452f5e87f3b52bf9f155864df65 (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < 9ae51361da43270f4ba0eb924427a07e87e48777 (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < f19d1f98e60e68b11fc60839105dd02a30ec0d77 (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < c71ed29d15b1a1ed6c464f8c3536996963046285 (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < 0b27bf4c494d61e5663baa34c3edd7ccebf0ea44 (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < d3ada42e534a83b618bbc1e490d23bf0fdae4736 (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < 59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d (git) Affected: 1853c949646005b5959c483becde86608f548f24 , < 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (git) Affected: 92994a5f49d0a81c8643452d5c0a6e8b31d85a61 (git) Affected: 85aec6328f3346b0718211faad564a3ffa64f60e (git) Affected: d38200098e3203ba30ba06ed3f345ec6ca75234c (git) Affected: 65d48c630ff80a19c39751a4a6d3315f4c3c0280 (git) Affected: 62f43b58d2b2c4f0200b9ca2b997f4c484f0272f (git) Affected: 3.12.49 , < 3.13 (semver) Affected: 3.14.54 , < 3.15 (semver) Affected: 3.18.23 , < 3.19 (semver) Affected: 4.1.10 , < 4.2 (semver) Affected: 4.2.3 , < 4.3 (semver)
Linux	Linux	Affected: 4.3 Unaffected: 0 , < 4.3 (semver) Unaffected: 4.19.309 , ≤ 4.19.* (semver) Unaffected: 5.4.271 , ≤ 5.4.* (semver) Unaffected: 5.10.212 , ≤ 5.10.* (semver) Unaffected: 5.15.151 , ≤ 5.15.* (semver) Unaffected: 6.1.81 , ≤ 6.1.* (semver) Unaffected: 6.6.21 , ≤ 6.6.* (semver) Unaffected: 6.7.9 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26805",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-21T16:06:14.957747Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-21T16:06:26.202Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.525Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec343a55b687a452f5e87f3b52bf9f155864df65",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "9ae51361da43270f4ba0eb924427a07e87e48777",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "f19d1f98e60e68b11fc60839105dd02a30ec0d77",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "c71ed29d15b1a1ed6c464f8c3536996963046285",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "0b27bf4c494d61e5663baa34c3edd7ccebf0ea44",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "d3ada42e534a83b618bbc1e490d23bf0fdae4736",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "lessThan": "661779e1fcafe1b74b3f3fe8e980c1e207fea1fd",
              "status": "affected",
              "version": "1853c949646005b5959c483becde86608f548f24",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "92994a5f49d0a81c8643452d5c0a6e8b31d85a61",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "85aec6328f3346b0718211faad564a3ffa64f60e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d38200098e3203ba30ba06ed3f345ec6ca75234c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "65d48c630ff80a19c39751a4a6d3315f4c3c0280",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "62f43b58d2b2c4f0200b9ca2b997f4c484f0272f",
              "versionType": "git"
            },
            {
              "lessThan": "3.13",
              "status": "affected",
              "version": "3.12.49",
              "versionType": "semver"
            },
            {
              "lessThan": "3.15",
              "status": "affected",
              "version": "3.14.54",
              "versionType": "semver"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.23",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2",
              "status": "affected",
              "version": "4.1.10",
              "versionType": "semver"
            },
            {
              "lessThan": "4.3",
              "status": "affected",
              "version": "4.2.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netlink/af_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.309",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.309",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.271",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.212",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.151",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.81",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.2.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb-\u003edata`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb-\u003eend` that is not data offset but buffer offset. The\n`skb-\u003eend` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb-\u003eend` to\n`skb-\u003elen`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:38:12.239Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777"
        },
        {
          "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77"
        },
        {
          "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736"
        },
        {
          "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd"
        }
      ],
      "title": "netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26805",
    "datePublished": "2024-04-04T08:20:32.250Z",
    "dateReserved": "2024-02-19T14:20:24.179Z",
    "dateUpdated": "2026-05-23T15:38:12.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26808 (GCVE-0-2024-26808)

Vulnerability from cvelistv5 – Published: 2024-04-04 09:50 – Updated: 2026-05-11 20:04

Title

netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER event is reported, otherwise a stale reference to netdevice remains in the hook list.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/9489e214ea8f2a903…
https://git.kernel.org/stable/c/70f17b48c86622217…
https://git.kernel.org/stable/c/af149a46890e8285d…
https://git.kernel.org/stable/c/e5888acbf1a3d8d02…
https://git.kernel.org/stable/c/36a0a80f322092384…
https://git.kernel.org/stable/c/01acb2e8666a65296…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 60a3815da702fd9e4759945f26cce5c47d3967ad , < 9489e214ea8f2a90345516016aa51f2db3a8cc2f (git) Affected: 60a3815da702fd9e4759945f26cce5c47d3967ad , < 70f17b48c86622217a58d5099d29242fc9adac58 (git) Affected: 60a3815da702fd9e4759945f26cce5c47d3967ad , < af149a46890e8285d1618bd68b8d159bdb87fdb3 (git) Affected: 60a3815da702fd9e4759945f26cce5c47d3967ad , < e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4 (git) Affected: 60a3815da702fd9e4759945f26cce5c47d3967ad , < 36a0a80f32209238469deb481967d777a3d539ee (git) Affected: 60a3815da702fd9e4759945f26cce5c47d3967ad , < 01acb2e8666a6529697141a6017edbf206921913 (git)
Linux	Linux	Affected: 5.10 Unaffected: 0 , < 5.10 (semver) Unaffected: 5.10.210 , ≤ 5.10.* (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.76 , ≤ 6.1.* (semver) Unaffected: 6.6.15 , ≤ 6.6.* (semver) Unaffected: 6.7.3 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.575Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9489e214ea8f2a90345516016aa51f2db3a8cc2f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70f17b48c86622217a58d5099d29242fc9adac58"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/af149a46890e8285d1618bd68b8d159bdb87fdb3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/36a0a80f32209238469deb481967d777a3d539ee"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/01acb2e8666a6529697141a6017edbf206921913"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26808",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T19:35:33.665875Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T19:36:03.888Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_chain_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9489e214ea8f2a90345516016aa51f2db3a8cc2f",
              "status": "affected",
              "version": "60a3815da702fd9e4759945f26cce5c47d3967ad",
              "versionType": "git"
            },
            {
              "lessThan": "70f17b48c86622217a58d5099d29242fc9adac58",
              "status": "affected",
              "version": "60a3815da702fd9e4759945f26cce5c47d3967ad",
              "versionType": "git"
            },
            {
              "lessThan": "af149a46890e8285d1618bd68b8d159bdb87fdb3",
              "status": "affected",
              "version": "60a3815da702fd9e4759945f26cce5c47d3967ad",
              "versionType": "git"
            },
            {
              "lessThan": "e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4",
              "status": "affected",
              "version": "60a3815da702fd9e4759945f26cce5c47d3967ad",
              "versionType": "git"
            },
            {
              "lessThan": "36a0a80f32209238469deb481967d777a3d539ee",
              "status": "affected",
              "version": "60a3815da702fd9e4759945f26cce5c47d3967ad",
              "versionType": "git"
            },
            {
              "lessThan": "01acb2e8666a6529697141a6017edbf206921913",
              "status": "affected",
              "version": "60a3815da702fd9e4759945f26cce5c47d3967ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_chain_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.210",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.149",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.76",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.15",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.3",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain\n\nRemove netdevice from inet/ingress basechain in case NETDEV_UNREGISTER\nevent is reported, otherwise a stale reference to netdevice remains in\nthe hook list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:34.339Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9489e214ea8f2a90345516016aa51f2db3a8cc2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/70f17b48c86622217a58d5099d29242fc9adac58"
        },
        {
          "url": "https://git.kernel.org/stable/c/af149a46890e8285d1618bd68b8d159bdb87fdb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5888acbf1a3d8d021990ce6c6061fd5b2bb21b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/36a0a80f32209238469deb481967d777a3d539ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/01acb2e8666a6529697141a6017edbf206921913"
        }
      ],
      "title": "netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26808",
    "datePublished": "2024-04-04T09:50:26.672Z",
    "dateReserved": "2024-02-19T14:20:24.179Z",
    "dateUpdated": "2026-05-11T20:04:34.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2024-AVI-0381

Solution

CVE-2024-26787 (GCVE-0-2024-26787)

CVE-2024-26788 (GCVE-0-2024-26788)

CVE-2024-26790 (GCVE-0-2024-26790)

CVE-2024-26791 (GCVE-0-2024-26791)

CVE-2024-26793 (GCVE-0-2024-26793)

CVE-2024-26795 (GCVE-0-2024-26795)

CVE-2024-26801 (GCVE-0-2024-26801)

CVE-2024-26804 (GCVE-0-2024-26804)

CVE-2024-26805 (GCVE-0-2024-26805)

CVE-2024-26808 (GCVE-0-2024-26808)

Tags

Sightings

Nomenclature