Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0668
Vulnerability from certfr_avis - Published: 2024-08-09 - Updated: 2024-08-09
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-52471",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52471"
},
{
"name": "CVE-2024-26601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26601"
},
{
"name": "CVE-2024-36889",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36889"
},
{
"name": "CVE-2024-35810",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35810"
},
{
"name": "CVE-2023-52834",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52834"
},
{
"name": "CVE-2024-38627",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38627"
},
{
"name": "CVE-2023-52622",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52622"
},
{
"name": "CVE-2024-38555",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38555"
},
{
"name": "CVE-2024-36921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36921"
},
{
"name": "CVE-2024-26614",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26614"
},
{
"name": "CVE-2023-52762",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52762"
},
{
"name": "CVE-2024-27030",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27030"
},
{
"name": "CVE-2024-36904",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36904"
},
{
"name": "CVE-2023-52845",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52845"
},
{
"name": "CVE-2024-27010",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27010"
},
{
"name": "CVE-2024-35912",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35912"
},
{
"name": "CVE-2024-25739",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25739"
},
{
"name": "CVE-2021-47304",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47304"
},
{
"name": "CVE-2024-35807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35807"
},
{
"name": "CVE-2022-48632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48632"
},
{
"name": "CVE-2024-26586",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26586"
},
{
"name": "CVE-2024-26961",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26961"
},
{
"name": "CVE-2024-35876",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35876"
},
{
"name": "CVE-2024-38384",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38384"
},
{
"name": "CVE-2021-47284",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47284"
},
{
"name": "CVE-2024-36945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36945"
},
{
"name": "CVE-2023-52653",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52653"
},
{
"name": "CVE-2023-52756",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52756"
},
{
"name": "CVE-2021-46939",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-46939"
},
{
"name": "CVE-2022-48743",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48743"
},
{
"name": "CVE-2024-35824",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35824"
},
{
"name": "CVE-2024-26704",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26704"
},
{
"name": "CVE-2024-35925",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35925"
},
{
"name": "CVE-2024-36886",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36886"
},
{
"name": "CVE-2023-52803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52803"
},
{
"name": "CVE-2024-21823",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21823"
},
{
"name": "CVE-2023-28746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28746"
},
{
"name": "CVE-2023-52847",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52847"
},
{
"name": "CVE-2023-52635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52635"
},
{
"name": "CVE-2023-52864",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52864"
},
{
"name": "CVE-2024-35897",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35897"
},
{
"name": "CVE-2024-38596",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38596"
},
{
"name": "CVE-2024-36929",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36929"
},
{
"name": "CVE-2024-26802",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26802"
},
{
"name": "CVE-2024-27062",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27062"
},
{
"name": "CVE-2024-26852",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26852"
},
{
"name": "CVE-2024-27395",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27395"
},
{
"name": "CVE-2024-26921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26921"
},
{
"name": "CVE-2024-35952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35952"
},
{
"name": "CVE-2024-35814",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35814"
},
{
"name": "CVE-2023-52764",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52764"
},
{
"name": "CVE-2024-26698",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26698"
},
{
"name": "CVE-2024-26686",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26686"
},
{
"name": "CVE-2024-35946",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35946"
},
{
"name": "CVE-2024-36020",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36020"
},
{
"name": "CVE-2024-35962",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35962"
},
{
"name": "CVE-2024-36917",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36917"
},
{
"name": "CVE-2023-52784",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52784"
},
{
"name": "CVE-2021-47461",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47461"
},
{
"name": "CVE-2024-26669",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26669"
},
{
"name": "CVE-2024-26940",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26940"
},
{
"name": "CVE-2024-35937",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35937"
},
{
"name": "CVE-2024-36025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36025"
},
{
"name": "CVE-2024-26773",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26773"
},
{
"name": "CVE-2024-36017",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36017"
},
{
"name": "CVE-2024-27434",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27434"
},
{
"name": "CVE-2024-40974",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40974"
},
{
"name": "CVE-2024-35924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35924"
},
{
"name": "CVE-2023-52775",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52775"
},
{
"name": "CVE-2024-36960",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36960"
},
{
"name": "CVE-2023-52486",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52486"
},
{
"name": "CVE-2023-52619",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52619"
},
{
"name": "CVE-2023-52796",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52796"
},
{
"name": "CVE-2024-36286",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36286"
},
{
"name": "CVE-2021-47579",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47579"
},
{
"name": "CVE-2024-39502",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39502"
},
{
"name": "CVE-2024-27065",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27065"
},
{
"name": "CVE-2024-27388",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27388"
},
{
"name": "CVE-2024-36005",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36005"
},
{
"name": "CVE-2024-36905",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36905"
},
{
"name": "CVE-2024-35893",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35893"
},
{
"name": "CVE-2021-47373",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47373"
},
{
"name": "CVE-2024-36270",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36270"
},
{
"name": "CVE-2023-52469",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52469"
},
{
"name": "CVE-2024-26740",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26740"
},
{
"name": "CVE-2021-47468",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47468"
},
{
"name": "CVE-2023-52809",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52809"
},
{
"name": "CVE-2023-52451",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52451"
},
{
"name": "CVE-2024-39472",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39472"
},
{
"name": "CVE-2024-35790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
},
{
"name": "CVE-2024-33621",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33621"
},
{
"name": "CVE-2024-36978",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36978"
},
{
"name": "CVE-2022-48637",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48637"
},
{
"name": "CVE-2024-35947",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35947"
},
{
"name": "CVE-2024-36927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36927"
},
{
"name": "CVE-2024-26947",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26947"
},
{
"name": "CVE-2024-26826",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26826"
},
{
"name": "CVE-2024-35847",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35847"
},
{
"name": "CVE-2024-35896",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35896"
},
{
"name": "CVE-2024-26733",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26733"
},
{
"name": "CVE-2024-39487",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39487"
},
{
"name": "CVE-2024-26837",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26837"
},
{
"name": "CVE-2024-35885",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35885"
},
{
"name": "CVE-2024-31076",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31076"
},
{
"name": "CVE-2021-47624",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47624"
},
{
"name": "CVE-2024-35910",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35910"
},
{
"name": "CVE-2022-48757",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48757"
},
{
"name": "CVE-2024-36971",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36971"
},
{
"name": "CVE-2024-26840",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26840"
},
{
"name": "CVE-2024-38663",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38663"
},
{
"name": "CVE-2023-52832",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52832"
},
{
"name": "CVE-2023-52662",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52662"
},
{
"name": "CVE-2023-52730",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52730"
},
{
"name": "CVE-2024-36941",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36941"
},
{
"name": "CVE-2024-36896",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36896"
},
{
"name": "CVE-2024-26958",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26958"
},
{
"name": "CVE-2024-26908",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26908"
},
{
"name": "CVE-2024-26960",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26960"
},
{
"name": "CVE-2024-36489",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36489"
},
{
"name": "CVE-2024-38575",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38575"
},
{
"name": "CVE-2023-52679",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52679"
},
{
"name": "CVE-2021-47018",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47018"
},
{
"name": "CVE-2024-26640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26640"
},
{
"name": "CVE-2024-35899",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35899"
},
{
"name": "CVE-2024-35823",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35823"
},
{
"name": "CVE-2023-52458",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52458"
},
{
"name": "CVE-2024-27020",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27020"
},
{
"name": "CVE-2023-52658",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52658"
},
{
"name": "CVE-2024-26737",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26737"
},
{
"name": "CVE-2024-38573",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38573"
},
{
"name": "CVE-2021-47408",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47408"
},
{
"name": "CVE-2024-39476",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39476"
},
{
"name": "CVE-2024-35938",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35938"
},
{
"name": "CVE-2024-27019",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27019"
},
{
"name": "CVE-2024-26843",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26843"
},
{
"name": "CVE-2022-48747",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48747"
},
{
"name": "CVE-2024-36950",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36950"
},
{
"name": "CVE-2024-40927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40927"
},
{
"name": "CVE-2021-47491",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47491"
},
{
"name": "CVE-2023-52885",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52885"
},
{
"name": "CVE-2024-36016",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36016"
},
{
"name": "CVE-2023-52623",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52623"
},
{
"name": "CVE-2024-39276",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39276"
},
{
"name": "CVE-2024-36940",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36940"
},
{
"name": "CVE-2023-52811",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52811"
},
{
"name": "CVE-2024-35801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35801"
},
{
"name": "CVE-2024-35930",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35930"
},
{
"name": "CVE-2024-26660",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26660"
},
{
"name": "CVE-2024-36010",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36010"
},
{
"name": "CVE-2024-26878",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26878"
},
{
"name": "CVE-2024-35900",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35900"
},
{
"name": "CVE-2024-38598",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38598"
},
{
"name": "CVE-2021-47548",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47548"
},
{
"name": "CVE-2024-26853",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26853"
},
{
"name": "CVE-2021-47393",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47393"
},
{
"name": "CVE-2024-2201",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2201"
},
{
"name": "CVE-2023-52777",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52777"
},
{
"name": "CVE-2024-35789",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35789"
},
{
"name": "CVE-2024-36979",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36979"
},
{
"name": "CVE-2024-36006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36006"
},
{
"name": "CVE-2023-52463",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52463"
},
{
"name": "CVE-2024-26925",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26925"
},
{
"name": "CVE-2024-26870",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26870"
},
{
"name": "CVE-2024-26930",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26930"
},
{
"name": "CVE-2024-36954",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36954"
},
{
"name": "CVE-2024-36933",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36933"
},
{
"name": "CVE-2024-26810",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26810"
},
{
"name": "CVE-2023-52530",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52530"
},
{
"name": "CVE-2024-26772",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26772"
},
{
"name": "CVE-2024-36000",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36000"
},
{
"name": "CVE-2023-52648",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52648"
},
{
"name": "CVE-2023-52791",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52791"
},
{
"name": "CVE-2024-38538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38538"
},
{
"name": "CVE-2023-52707",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52707"
},
{
"name": "CVE-2024-27025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27025"
},
{
"name": "CVE-2024-27011",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27011"
},
{
"name": "CVE-2021-47257",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47257"
},
{
"name": "CVE-2024-38615",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38615"
}
],
"initial_release_date": "2024-08-09T00:00:00",
"last_revision_date": "2024-08-09T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0668",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-08-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2024-08-08",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:5101",
"url": "https://access.redhat.com/errata/RHSA-2024:5101"
},
{
"published_at": "2024-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:5066",
"url": "https://access.redhat.com/errata/RHSA-2024:5066"
},
{
"published_at": "2024-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:5067",
"url": "https://access.redhat.com/errata/RHSA-2024:5067"
},
{
"published_at": "2024-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:5065",
"url": "https://access.redhat.com/errata/RHSA-2024:5065"
},
{
"published_at": "2024-08-08",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:5102",
"url": "https://access.redhat.com/errata/RHSA-2024:5102"
}
]
}
CVE-2024-26870 (GCVE-0-2024-26870)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2026-05-12 11:49
VLAI
EPSS
Title
NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102
A call to listxattr() with a buffer size = 0 returns the actual
size of the buffer needed for a subsequent call. When size > 0,
nfs4_listxattr() does not return an error because either
generic_listxattr() or nfs4_listxattr_nfs4_label() consumes
exactly all the bytes then size is 0 when calling
nfs4_listxattr_nfs4_user() which then triggers the following
kernel BUG:
[ 99.403778] kernel BUG at mm/usercopy.c:102!
[ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1
[ 99.415827] Call trace:
[ 99.415985] usercopy_abort+0x70/0xa0
[ 99.416227] __check_heap_object+0x134/0x158
[ 99.416505] check_heap_object+0x150/0x188
[ 99.416696] __check_object_size.part.0+0x78/0x168
[ 99.416886] __check_object_size+0x28/0x40
[ 99.417078] listxattr+0x8c/0x120
[ 99.417252] path_listxattr+0x78/0xe0
[ 99.417476] __arm64_sys_listxattr+0x28/0x40
[ 99.417723] invoke_syscall+0x78/0x100
[ 99.417929] el0_svc_common.constprop.0+0x48/0xf0
[ 99.418186] do_el0_svc+0x24/0x38
[ 99.418376] el0_svc+0x3c/0x110
[ 99.418554] el0t_64_sync_handler+0x120/0x130
[ 99.418788] el0t_64_sync+0x194/0x198
[ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)
Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl',
thus calling lisxattr() with size = 16 will trigger the bug.
Add check on nfs4_listxattr() to return ERANGE error when it is
called with size > 0 and the return value is greater than size.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
9 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
012a211abd5db098094ce429de5f046368391e68 , < 4403438eaca6e91f02d272211c4d6b045092396b
(git)
Affected: 012a211abd5db098094ce429de5f046368391e68 , < 9d52865ff28245fc2134da9f99baff603a24407a (git) Affected: 012a211abd5db098094ce429de5f046368391e68 , < 06e828b3f1b206de08ef520fc46a40b22e1869cb (git) Affected: 012a211abd5db098094ce429de5f046368391e68 , < 79cdcc765969d23f4e3d6ea115660c3333498768 (git) Affected: 012a211abd5db098094ce429de5f046368391e68 , < 80365c9f96015bbf048fdd6c8705d3f8770132bf (git) Affected: 012a211abd5db098094ce429de5f046368391e68 , < 23bfecb4d852751d5e403557dd500bb563313baf (git) Affected: 012a211abd5db098094ce429de5f046368391e68 , < 251a658bbfceafb4d58c76b77682c8bf7bcfad65 (git) |
|
| Linux | Linux |
Affected:
5.9
Unaffected: 0 , < 5.9 (semver) Unaffected: 5.10.214 , ≤ 5.10.* (semver) Unaffected: 5.15.153 , ≤ 5.15.* (semver) Unaffected: 6.1.83 , ≤ 6.1.* (semver) Unaffected: 6.6.23 , ≤ 6.6.* (semver) Unaffected: 6.7.11 , ≤ 6.7.* (semver) Unaffected: 6.8.2 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T19:56:13.503124Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:37.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:04.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:49:46.342Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4403438eaca6e91f02d272211c4d6b045092396b",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
},
{
"lessThan": "9d52865ff28245fc2134da9f99baff603a24407a",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
},
{
"lessThan": "06e828b3f1b206de08ef520fc46a40b22e1869cb",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
},
{
"lessThan": "79cdcc765969d23f4e3d6ea115660c3333498768",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
},
{
"lessThan": "80365c9f96015bbf048fdd6c8705d3f8770132bf",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
},
{
"lessThan": "23bfecb4d852751d5e403557dd500bb563313baf",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
},
{
"lessThan": "251a658bbfceafb4d58c76b77682c8bf7bcfad65",
"status": "affected",
"version": "012a211abd5db098094ce429de5f046368391e68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\n\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size \u003e 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\n\n [ 99.403778] kernel BUG at mm/usercopy.c:102!\n [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n [ 99.415827] Call trace:\n [ 99.415985] usercopy_abort+0x70/0xa0\n [ 99.416227] __check_heap_object+0x134/0x158\n [ 99.416505] check_heap_object+0x150/0x188\n [ 99.416696] __check_object_size.part.0+0x78/0x168\n [ 99.416886] __check_object_size+0x28/0x40\n [ 99.417078] listxattr+0x8c/0x120\n [ 99.417252] path_listxattr+0x78/0xe0\n [ 99.417476] __arm64_sys_listxattr+0x28/0x40\n [ 99.417723] invoke_syscall+0x78/0x100\n [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0\n [ 99.418186] do_el0_svc+0x24/0x38\n [ 99.418376] el0_svc+0x3c/0x110\n [ 99.418554] el0t_64_sync_handler+0x120/0x130\n [ 99.418788] el0t_64_sync+0x194/0x198\n [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\n\nIssue is reproduced when generic_listxattr() returns \u0027system.nfs4_acl\u0027,\nthus calling lisxattr() with size = 16 will trigger the bug.\n\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size \u003e 0 and the return value is greater than size."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:05:43.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b"
},
{
"url": "https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a"
},
{
"url": "https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb"
},
{
"url": "https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768"
},
{
"url": "https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf"
},
{
"url": "https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf"
},
{
"url": "https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65"
}
],
"title": "NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26870",
"datePublished": "2024-04-17T10:27:30.756Z",
"dateReserved": "2024-02-19T14:20:24.184Z",
"dateUpdated": "2026-05-12T11:49:46.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26878 (GCVE-0-2024-26878)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2026-05-12 11:49
VLAI
EPSS
Title
quota: Fix potential NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
quota: Fix potential NULL pointer dereference
Below race may cause NULL pointer dereference
P1 P2
dquot_free_inode quota_off
drop_dquot_ref
remove_dquot_ref
dquots = i_dquot(inode)
dquots = i_dquot(inode)
srcu_read_lock
dquots[cnt]) != NULL (1)
dquots[type] = NULL (2)
spin_lock(&dquots[cnt]->dq_dqb_lock) (3)
....
If dquot_free_inode(or other routines) checks inode's quota pointers (1)
before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer
dereference will be triggered.
So let's fix it by using a temporary pointer to avoid this issue.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
13 references
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 8514899c1a4edf802f03c408db901063aa3f05a1
(git)
Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 49669f8e7eb053f91d239df7b1bfb4500255a9d0 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 61380537aa6dd32d8a723d98b8f1bd1b11d8fee0 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 7f9e833fc0f9b47be503af012eb5903086939754 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < f2649d98aa9ca8623149b3cb8df00c944f5655c7 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < 6afc9f4434fa8063aa768c2bf5bf98583aee0877 (git) Affected: 7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac , < d0aa72604fbd80c8aabb46eda00535ed35570f1f (git) |
|
| Linux | Linux |
Affected:
4.14
Unaffected: 0 , < 4.14 (semver) Unaffected: 4.19.311 , ≤ 4.19.* (semver) Unaffected: 5.4.273 , ≤ 5.4.* (semver) Unaffected: 5.10.214 , ≤ 5.10.* (semver) Unaffected: 5.15.153 , ≤ 5.15.* (semver) Unaffected: 6.1.83 , ≤ 6.1.* (semver) Unaffected: 6.6.23 , ≤ 6.6.* (semver) Unaffected: 6.7.11 , ≤ 6.7.* (semver) Unaffected: 6.8.2 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:04.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:48:25.754517Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:25.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:49:56.835Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8514899c1a4edf802f03c408db901063aa3f05a1",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "49669f8e7eb053f91d239df7b1bfb4500255a9d0",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "61380537aa6dd32d8a723d98b8f1bd1b11d8fee0",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "7f9e833fc0f9b47be503af012eb5903086939754",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "f2649d98aa9ca8623149b3cb8df00c944f5655c7",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "6afc9f4434fa8063aa768c2bf5bf98583aee0877",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
},
{
"lessThan": "d0aa72604fbd80c8aabb46eda00535ed35570f1f",
"status": "affected",
"version": "7b9ca4c61bc278b771fb57d6290a31ab1fc7fdac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.311",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.273",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: Fix potential NULL pointer dereference\n\nBelow race may cause NULL pointer dereference\n\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t drop_dquot_ref\n\t\t\t\t\t remove_dquot_ref\n\t\t\t\t\t dquots = i_dquot(inode)\n dquots = i_dquot(inode)\n srcu_read_lock\n dquots[cnt]) != NULL (1)\n\t\t\t\t\t dquots[type] = NULL (2)\n spin_lock(\u0026dquots[cnt]-\u003edq_dqb_lock) (3)\n ....\n\nIf dquot_free_inode(or other routines) checks inode\u0027s quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\n\nSo let\u0027s fix it by using a temporary pointer to avoid this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:06:00.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1"
},
{
"url": "https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0"
},
{
"url": "https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0"
},
{
"url": "https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25"
},
{
"url": "https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754"
},
{
"url": "https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5"
},
{
"url": "https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7"
},
{
"url": "https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877"
},
{
"url": "https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f"
}
],
"title": "quota: Fix potential NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26878",
"datePublished": "2024-04-17T10:27:35.838Z",
"dateReserved": "2024-02-19T14:20:24.185Z",
"dateUpdated": "2026-05-12T11:49:56.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26908 (GCVE-0-2024-26908)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2024-04-30 08:11
VLAI
EPSS
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2024-04-30T08:11:15.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26908",
"datePublished": "2024-04-17T10:27:54.837Z",
"dateRejected": "2024-04-30T08:11:15.076Z",
"dateReserved": "2024-02-19T14:20:24.188Z",
"dateUpdated": "2024-04-30T08:11:15.076Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}
CVE-2024-26921 (GCVE-0-2024-26921)
Vulnerability from cvelistv5 – Published: 2024-04-18 09:47 – Updated: 2026-05-11 20:06
VLAI
EPSS
Title
inet: inet_defrag: prevent sk release while still in use
Summary
In the Linux kernel, the following vulnerability has been resolved:
inet: inet_defrag: prevent sk release while still in use
ip_local_out() and other functions can pass skb->sk as function argument.
If the skb is a fragment and reassembly happens before such function call
returns, the sk must not be released.
This affects skb fragments reassembled via netfilter or similar
modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.
Eric Dumazet made an initial analysis of this bug. Quoting Eric:
Calling ip_defrag() in output path is also implying skb_orphan(),
which is buggy because output path relies on sk not disappearing.
A relevant old patch about the issue was :
8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()")
[..]
net/ipv4/ip_output.c depends on skb->sk being set, and probably to an
inet socket, not an arbitrary one.
If we orphan the packet in ipvlan, then downstream things like FQ
packet scheduler will not work properly.
We need to change ip_defrag() to only use skb_orphan() when really
needed, ie whenever frag_list is going to be used.
Eric suggested to stash sk in fragment queue and made an initial patch.
However there is a problem with this:
If skb is refragmented again right after, ip_do_fragment() will copy
head->sk to the new fragments, and sets up destructor to sock_wfree.
IOW, we have no choice but to fix up sk_wmem accouting to reflect the
fully reassembled skb, else wmem will underflow.
This change moves the orphan down into the core, to last possible moment.
As ip_defrag_offset is aliased with sk_buff->sk member, we must move the
offset into the FRAG_CB, else skb->sk gets clobbered.
This allows to delay the orphaning long enough to learn if the skb has
to be queued or if the skb is completing the reasm queue.
In the former case, things work as before, skb is orphaned. This is
safe because skb gets queued/stolen and won't continue past reasm engine.
In the latter case, we will steal the skb->sk reference, reattach it to
the head skb, and fix up wmem accouting when inet_frag inflates truesize.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 1b6de5e6575b56502665c65cf93b0ae6aa0f51ab
(git)
Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 9705f447bf9a6cd088300ad2c407b5e1c6591091 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 4318608dc28ef184158b4045896740716bea23f0 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 7d0567842b78390dd9b60f00f1d8f838d540e325 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < f4877225313d474659ee53150ccc3d553a978727 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < e09cbe017311508c21e0739e97198a8388b98981 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 18685451fc4e546fc0e718580d32df3c0e5c8272 (git) |
|
| Linux | Linux |
Affected:
4.1
Unaffected: 0 , < 4.1 (semver) Unaffected: 5.4.285 , ≤ 5.4.* (semver) Unaffected: 5.10.227 , ≤ 5.10.* (semver) Unaffected: 5.15.168 , ≤ 5.15.* (semver) Unaffected: 6.1.85 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-18T19:03:24.189248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T15:27:10.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:36:57.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c",
"net/ipv6/netfilter/nf_conntrack_reasm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b6de5e6575b56502665c65cf93b0ae6aa0f51ab",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
},
{
"lessThan": "9705f447bf9a6cd088300ad2c407b5e1c6591091",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
},
{
"lessThan": "4318608dc28ef184158b4045896740716bea23f0",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
},
{
"lessThan": "7d0567842b78390dd9b60f00f1d8f838d540e325",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
},
{
"lessThan": "f4877225313d474659ee53150ccc3d553a978727",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
},
{
"lessThan": "e09cbe017311508c21e0739e97198a8388b98981",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
},
{
"lessThan": "18685451fc4e546fc0e718580d32df3c0e5c8272",
"status": "affected",
"version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c",
"net/ipv6/netfilter/nf_conntrack_reasm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb-\u003esk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb-\u003esk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead-\u003esk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff-\u003esk member, we must move the\noffset into the FRAG_CB, else skb-\u003esk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won\u0027t continue past reasm engine.\n\nIn the latter case, we will steal the skb-\u003esk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:06:57.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b6de5e6575b56502665c65cf93b0ae6aa0f51ab"
},
{
"url": "https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091"
},
{
"url": "https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0"
},
{
"url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325"
},
{
"url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727"
},
{
"url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981"
},
{
"url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272"
}
],
"title": "inet: inet_defrag: prevent sk release while still in use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26921",
"datePublished": "2024-04-18T09:47:58.632Z",
"dateReserved": "2024-02-19T14:20:24.194Z",
"dateUpdated": "2026-05-11T20:06:57.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26925 (GCVE-0-2024-26925)
Vulnerability from cvelistv5 – Published: 2024-04-24 21:49 – Updated: 2026-05-23 15:40
VLAI
EPSS
Title
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.
nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
Impacted products
27 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4b6346dc1edfb9839d6edee7360ed31a22fa6c95 , < 61ac7284346c32f9a8c8ceac56102f7914060428
(git)
Affected: 23292bdfda5f04e704a843b8f97b0eb95ace1ca6 , < 2cee2ff7f8cce12a63a0a23ffe27f08d99541494 (git) Affected: b44a459c6561595ed7c3679599c5279204132b33 , < eb769ff4e281f751adcaf4f4445cbf30817be139 (git) Affected: 5d319f7a81431c6bb32eb4dc7d7975f99e2c8c66 , < 8d3a58af50e46167b6f1db47adadad03c0045dae (git) Affected: 720344340fb9be2765bbaab7b292ece0a4570eae , < 8038ee3c3e5b59bcd78467686db5270c68544e30 (git) Affected: 720344340fb9be2765bbaab7b292ece0a4570eae , < a34ba4bdeec0c3b629160497594908dc820110f1 (git) Affected: 720344340fb9be2765bbaab7b292ece0a4570eae , < 0d459e2ffb541841714839e8228b845458ed3b27 (git) Affected: f85ca36090cbb252bcbc95fc74c2853fc792694f (git) Affected: e07e68823116563bdbc49cef185cda6f463bc534 (git) Affected: 5.4.262 , < 5.4.274 (semver) Affected: 5.10.198 , < 5.10.215 (semver) Affected: 5.15.134 , < 5.15.155 (semver) Affected: 6.1.56 , < 6.1.86 (semver) Affected: 4.19.316 , < 4.20 (semver) Affected: 6.4.13 , < 6.5 (semver) |
|
| Linux | Linux |
Affected:
6.5
Unaffected: 0 , < 6.5 (semver) Unaffected: 5.4.274 , ≤ 5.4.* (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.155 , ≤ 5.15.* (semver) Unaffected: 6.1.86 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RM1224 LTE(4G) EU |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | RUGGEDCOM RM1224 LTE(4G) NAM |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M804PB |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M812-1 ADSL-Router |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M816-1 ADSL-Router |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M826-2 SHDSL-Router |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M874-2 |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M874-3 |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M874-3 3G-Router (CN) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M876-3 |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M876-3 (ROK) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M876-4 |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M876-4 (EU) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE M876-4 (NAM) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM853-1 (A1) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM853-1 (B1) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM853-1 (EU) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM856-1 (A1) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM856-1 (B1) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM856-1 (CN) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM856-1 (EU) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE MUM856-1 (RoW) |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE S615 EEC LAN-Router |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SCALANCE S615 LAN-Router |
Affected:
0 , < V8.2
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:46:30.592135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:12.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RM1224 LTE(4G) EU",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RM1224 LTE(4G) NAM",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M804PB",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M812-1 ADSL-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M812-1 ADSL-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M816-1 ADSL-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M816-1 ADSL-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M826-2 SHDSL-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M874-2",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M874-3",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M874-3 3G-Router (CN)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M876-3",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M876-3 (ROK)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M876-4",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M876-4 (EU)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE M876-4 (NAM)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM853-1 (A1)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM853-1 (B1)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM853-1 (EU)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM856-1 (A1)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM856-1 (B1)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM856-1 (CN)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM856-1 (EU)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE MUM856-1 (RoW)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE S615 EEC LAN-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE S615 LAN-Router",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:50:41.681Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-354112.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61ac7284346c32f9a8c8ceac56102f7914060428",
"status": "affected",
"version": "4b6346dc1edfb9839d6edee7360ed31a22fa6c95",
"versionType": "git"
},
{
"lessThan": "2cee2ff7f8cce12a63a0a23ffe27f08d99541494",
"status": "affected",
"version": "23292bdfda5f04e704a843b8f97b0eb95ace1ca6",
"versionType": "git"
},
{
"lessThan": "eb769ff4e281f751adcaf4f4445cbf30817be139",
"status": "affected",
"version": "b44a459c6561595ed7c3679599c5279204132b33",
"versionType": "git"
},
{
"lessThan": "8d3a58af50e46167b6f1db47adadad03c0045dae",
"status": "affected",
"version": "5d319f7a81431c6bb32eb4dc7d7975f99e2c8c66",
"versionType": "git"
},
{
"lessThan": "8038ee3c3e5b59bcd78467686db5270c68544e30",
"status": "affected",
"version": "720344340fb9be2765bbaab7b292ece0a4570eae",
"versionType": "git"
},
{
"lessThan": "a34ba4bdeec0c3b629160497594908dc820110f1",
"status": "affected",
"version": "720344340fb9be2765bbaab7b292ece0a4570eae",
"versionType": "git"
},
{
"lessThan": "0d459e2ffb541841714839e8228b845458ed3b27",
"status": "affected",
"version": "720344340fb9be2765bbaab7b292ece0a4570eae",
"versionType": "git"
},
{
"status": "affected",
"version": "f85ca36090cbb252bcbc95fc74c2853fc792694f",
"versionType": "git"
},
{
"status": "affected",
"version": "e07e68823116563bdbc49cef185cda6f463bc534",
"versionType": "git"
},
{
"lessThan": "5.4.274",
"status": "affected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThan": "5.10.215",
"status": "affected",
"version": "5.10.198",
"versionType": "semver"
},
{
"lessThan": "5.15.155",
"status": "affected",
"version": "5.15.134",
"versionType": "semver"
},
{
"lessThan": "6.1.86",
"status": "affected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThan": "6.5",
"status": "affected",
"version": "6.4.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "5.10.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.155",
"versionStartIncluding": "5.15.134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.86",
"versionStartIncluding": "6.1.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:40:17.304Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428"
},
{
"url": "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494"
},
{
"url": "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139"
},
{
"url": "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae"
},
{
"url": "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30"
},
{
"url": "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1"
},
{
"url": "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27"
}
],
"title": "netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26925",
"datePublished": "2024-04-24T21:49:23.251Z",
"dateReserved": "2024-02-19T14:20:24.194Z",
"dateUpdated": "2026-05-23T15:40:17.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26930 (GCVE-0-2024-26930)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:17 – Updated: 2026-05-11 20:07
VLAI
EPSS
Title
scsi: qla2xxx: Fix double free of the ha->vp_map pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix double free of the ha->vp_map pointer
Coverity scan reported potential risk of double free of the pointer
ha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed
in function qla2x00_mem_free(ha).
Assign NULL to vp_map and kfree take care of NULL.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
430eef03a763e5e76a371ba6d02779ae4a64b6ea , < f14cee7a882cb79528f17a2335f53e9fd1848467
(git)
Affected: 430eef03a763e5e76a371ba6d02779ae4a64b6ea , < b7deb675d674f44e0ddbab87fee8f9f098925e73 (git) Affected: 430eef03a763e5e76a371ba6d02779ae4a64b6ea , < 825d63164a2e6bacb059a9afb5605425b485413f (git) Affected: 430eef03a763e5e76a371ba6d02779ae4a64b6ea , < e288285d47784fdcf7c81be56df7d65c6f10c58b (git) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:40:52.767633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:46:59.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f14cee7a882cb79528f17a2335f53e9fd1848467"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b7deb675d674f44e0ddbab87fee8f9f098925e73"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/825d63164a2e6bacb059a9afb5605425b485413f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e288285d47784fdcf7c81be56df7d65c6f10c58b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f14cee7a882cb79528f17a2335f53e9fd1848467",
"status": "affected",
"version": "430eef03a763e5e76a371ba6d02779ae4a64b6ea",
"versionType": "git"
},
{
"lessThan": "b7deb675d674f44e0ddbab87fee8f9f098925e73",
"status": "affected",
"version": "430eef03a763e5e76a371ba6d02779ae4a64b6ea",
"versionType": "git"
},
{
"lessThan": "825d63164a2e6bacb059a9afb5605425b485413f",
"status": "affected",
"version": "430eef03a763e5e76a371ba6d02779ae4a64b6ea",
"versionType": "git"
},
{
"lessThan": "e288285d47784fdcf7c81be56df7d65c6f10c58b",
"status": "affected",
"version": "430eef03a763e5e76a371ba6d02779ae4a64b6ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of the ha-\u003evp_map pointer\n\nCoverity scan reported potential risk of double free of the pointer\nha-\u003evp_map. ha-\u003evp_map was freed in qla2x00_mem_alloc(), and again freed\nin function qla2x00_mem_free(ha).\n\nAssign NULL to vp_map and kfree take care of NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:07:07.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f14cee7a882cb79528f17a2335f53e9fd1848467"
},
{
"url": "https://git.kernel.org/stable/c/b7deb675d674f44e0ddbab87fee8f9f098925e73"
},
{
"url": "https://git.kernel.org/stable/c/825d63164a2e6bacb059a9afb5605425b485413f"
},
{
"url": "https://git.kernel.org/stable/c/e288285d47784fdcf7c81be56df7d65c6f10c58b"
}
],
"title": "scsi: qla2xxx: Fix double free of the ha-\u003evp_map pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26930",
"datePublished": "2024-05-01T05:17:10.685Z",
"dateReserved": "2024-02-19T14:20:24.195Z",
"dateUpdated": "2026-05-11T20:07:07.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26940 (GCVE-0-2024-26940)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:17 – Updated: 2026-05-11 20:07
VLAI
EPSS
Title
drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed
The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the
corresponding ttm_resource_manager is not allocated.
This leads to a crash when trying to read from this file.
Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file
only when the corresponding ttm_resource_manager is allocated.
crash> bt
PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep"
#0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3
#1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a
#2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1
#3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1
#4 [ffffb954506b3c70] no_context at ffffffffb2a7e913
#5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c
#6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887
#7 [ffffb954506b3d40] page_fault at ffffffffb360116e
[exception RIP: ttm_resource_manager_debug+0x11]
RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246
RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940
RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000
RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000
R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff
R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
#9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3
RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246
RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985
RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003
RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000
R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003
ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 , < 016119154981d81c9e8f2ea3f56b9e2b4ea14500
(git)
Affected: af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 , < 042ef0afc40fa1a22b3608f22915b91ce39d128f (git) Affected: af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 , < 25e3ce59c1200f1f0563e39de151f34962ab0fe1 (git) Affected: af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 , < eb08db0fc5354fa17b7ed66dab3c503332423451 (git) Affected: af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6 , < 4be9075fec0a639384ed19975634b662bfab938f (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.84 , ≤ 6.1.* (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:58:47.194142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T18:50:50.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/016119154981d81c9e8f2ea3f56b9e2b4ea14500"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/042ef0afc40fa1a22b3608f22915b91ce39d128f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/25e3ce59c1200f1f0563e39de151f34962ab0fe1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eb08db0fc5354fa17b7ed66dab3c503332423451"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4be9075fec0a639384ed19975634b662bfab938f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "016119154981d81c9e8f2ea3f56b9e2b4ea14500",
"status": "affected",
"version": "af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6",
"versionType": "git"
},
{
"lessThan": "042ef0afc40fa1a22b3608f22915b91ce39d128f",
"status": "affected",
"version": "af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6",
"versionType": "git"
},
{
"lessThan": "25e3ce59c1200f1f0563e39de151f34962ab0fe1",
"status": "affected",
"version": "af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6",
"versionType": "git"
},
{
"lessThan": "eb08db0fc5354fa17b7ed66dab3c503332423451",
"status": "affected",
"version": "af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6",
"versionType": "git"
},
{
"lessThan": "4be9075fec0a639384ed19975634b662bfab938f",
"status": "affected",
"version": "af4a25bbe5e7e60ff696ef5c1ec48ab2d51c17c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed\n\nThe driver creates /sys/kernel/debug/dri/0/mob_ttm even when the\ncorresponding ttm_resource_manager is not allocated.\nThis leads to a crash when trying to read from this file.\n\nAdd a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file\nonly when the corresponding ttm_resource_manager is allocated.\n\ncrash\u003e bt\nPID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: \"grep\"\n #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3\n #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a\n #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1\n #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1\n #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913\n #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c\n #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887\n #7 [ffffb954506b3d40] page_fault at ffffffffb360116e\n [exception RIP: ttm_resource_manager_debug+0x11]\n RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246\n RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940\n RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000\n RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000\n R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff\n R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]\n #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3\n RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246\n RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985\n RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003\n RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000\n R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003\n ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:07:19.266Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/016119154981d81c9e8f2ea3f56b9e2b4ea14500"
},
{
"url": "https://git.kernel.org/stable/c/042ef0afc40fa1a22b3608f22915b91ce39d128f"
},
{
"url": "https://git.kernel.org/stable/c/25e3ce59c1200f1f0563e39de151f34962ab0fe1"
},
{
"url": "https://git.kernel.org/stable/c/eb08db0fc5354fa17b7ed66dab3c503332423451"
},
{
"url": "https://git.kernel.org/stable/c/4be9075fec0a639384ed19975634b662bfab938f"
}
],
"title": "drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26940",
"datePublished": "2024-05-01T05:17:48.607Z",
"dateReserved": "2024-02-19T14:20:24.197Z",
"dateUpdated": "2026-05-11T20:07:19.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26947 (GCVE-0-2024-26947)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:18 – Updated: 2026-05-23 15:40
VLAI
EPSS
Title
ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account
freed memory map alignment") changes the semantics of pfn_valid() to check
presence of the memory map for a PFN. A valid page for an address which
is reserved but not mapped by the kernel[1], the system crashed during
some uio test with the following memory layout:
node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]
node 0: [mem 0x00000000d0000000-0x00000000da1fffff]
the uio layout is:0xc0900000, 0x100000
the crash backtrace like:
Unable to handle kernel paging request at virtual address bff00000
[...]
CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1
Hardware name: Generic DT based system
PC is at b15_flush_kern_dcache_area+0x24/0x3c
LR is at __sync_icache_dcache+0x6c/0x98
[...]
(b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)
(__sync_icache_dcache) from (set_pte_at+0x28/0x54)
(set_pte_at) from (remap_pfn_range+0x1a0/0x274)
(remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])
(uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)
(__mmap_region) from (__do_mmap_mm+0x3ec/0x440)
(__do_mmap_mm) from (do_mmap+0x50/0x58)
(do_mmap) from (vm_mmap_pgoff+0xfc/0x188)
(vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)
(ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)
Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)
---[ end trace 09cf0734c3805d52 ]---
Kernel panic - not syncing: Fatal exception
So check if PG_reserved was set to solve this issue.
[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 , < 0c027c2bad7f5111c51a358b5d392e1a695dabff
(git)
Affected: a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 , < 9f7ddc222cae8254e93d5c169a8ae11a49d912a7 (git) Affected: a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 , < fb3a122a978626b33de3367ee1762da934c0f512 (git) Affected: a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 , < 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc (git) Affected: 6026d4032dbbe3d7f4ac2c8daa923fe74dcf41c4 (git) Affected: 65c578935bcc26ddc04e6757b2c7be95bf235b31 (git) Affected: 5.4.167 , < 5.5 (semver) Affected: 5.10.87 , < 5.11 (semver) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:40:49.744241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:46:53.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.505Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mm/flush.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c027c2bad7f5111c51a358b5d392e1a695dabff",
"status": "affected",
"version": "a4d5613c4dc6d413e0733e37db9d116a2a36b9f3",
"versionType": "git"
},
{
"lessThan": "9f7ddc222cae8254e93d5c169a8ae11a49d912a7",
"status": "affected",
"version": "a4d5613c4dc6d413e0733e37db9d116a2a36b9f3",
"versionType": "git"
},
{
"lessThan": "fb3a122a978626b33de3367ee1762da934c0f512",
"status": "affected",
"version": "a4d5613c4dc6d413e0733e37db9d116a2a36b9f3",
"versionType": "git"
},
{
"lessThan": "0c66c6f4e21cb22220cbd8821c5c73fc157d20dc",
"status": "affected",
"version": "a4d5613c4dc6d413e0733e37db9d116a2a36b9f3",
"versionType": "git"
},
{
"status": "affected",
"version": "6026d4032dbbe3d7f4ac2c8daa923fe74dcf41c4",
"versionType": "git"
},
{
"status": "affected",
"version": "65c578935bcc26ddc04e6757b2c7be95bf235b31",
"versionType": "git"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.167",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.87",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mm/flush.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is\uff1a0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:40:35.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff"
},
{
"url": "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7"
},
{
"url": "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512"
},
{
"url": "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc"
}
],
"title": "ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26947",
"datePublished": "2024-05-01T05:18:17.316Z",
"dateReserved": "2024-02-19T14:20:24.197Z",
"dateUpdated": "2026-05-23T15:40:35.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26958 (GCVE-0-2024-26958)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:19 – Updated: 2026-05-12 11:50
VLAI
EPSS
Title
nfs: fix UAF in direct writes
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs: fix UAF in direct writes
In production we have been hitting the following warning consistently
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0
Workqueue: nfsiod nfs_direct_write_schedule_work [nfs]
RIP: 0010:refcount_warn_saturate+0x9c/0xe0
PKRU: 55555554
Call Trace:
<TASK>
? __warn+0x9f/0x130
? refcount_warn_saturate+0x9c/0xe0
? report_bug+0xcc/0x150
? handle_bug+0x3d/0x70
? exc_invalid_op+0x16/0x40
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0x9c/0xe0
nfs_direct_write_schedule_work+0x237/0x250 [nfs]
process_one_work+0x12f/0x4a0
worker_thread+0x14e/0x3b0
? ZSTD_getCParams_internal+0x220/0x220
kthread+0xdc/0x120
? __btf_name_valid+0xa0/0xa0
ret_from_fork+0x1f/0x30
This is because we're completing the nfs_direct_request twice in a row.
The source of this is when we have our commit requests to submit, we
process them and send them off, and then in the completion path for the
commit requests we have
if (nfs_commit_end(cinfo.mds))
nfs_direct_write_complete(dreq);
However since we're submitting asynchronous requests we sometimes have
one that completes before we submit the next one, so we end up calling
complete on the nfs_direct_request twice.
The only other place we use nfs_generic_commit_list() is in
__nfs_commit_inode, which wraps this call in a
nfs_commit_begin();
nfs_commit_end();
Which is a common pattern for this style of completion handling, one
that is also repeated in the direct code with get_dreq()/put_dreq()
calls around where we process events as well as in the completion paths.
Fix this by using the same pattern for the commit requests.
Before with my 200 node rocksdb stress running this warning would pop
every 10ish minutes. With my patch the stress test has been running for
several hours without popping.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < 6cd3f13aaa62970b5169d990e936b2e96943bc6a
(git)
Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < 4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5 (git) Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < 80d24b308b7ee7037fc90d8ac99f6f78df0a256f (git) Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < 3abc2d160ed8213948b147295d77d44a22c88fa3 (git) Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < e25447c35f8745337ea8bc0c9697fcac14df8605 (git) Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < 1daf52b5ffb24870fbeda20b4967526d8f9e12ab (git) Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < cf54f66e1dd78990ec6b32177bca7e6ea2144a95 (git) Affected: af7cf057933f01dc7f33ddfb5e436ad598ed17ad , < 17f46b803d4f23c66cacce81db35fef3adb8f2af (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.154 , ≤ 5.15.* (semver) Unaffected: 6.1.84 , ≤ 6.1.* (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T13:37:27.589314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:10.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:50:48.932Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/direct.c",
"fs/nfs/write.c",
"include/linux/nfs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cd3f13aaa62970b5169d990e936b2e96943bc6a",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "80d24b308b7ee7037fc90d8ac99f6f78df0a256f",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "3abc2d160ed8213948b147295d77d44a22c88fa3",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "e25447c35f8745337ea8bc0c9697fcac14df8605",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "1daf52b5ffb24870fbeda20b4967526d8f9e12ab",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "cf54f66e1dd78990ec6b32177bca7e6ea2144a95",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
},
{
"lessThan": "17f46b803d4f23c66cacce81db35fef3adb8f2af",
"status": "affected",
"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/direct.c",
"fs/nfs/write.c",
"include/linux/nfs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we\u0027re completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we\u0027re submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:07:40.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cd3f13aaa62970b5169d990e936b2e96943bc6a"
},
{
"url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5"
},
{
"url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f"
},
{
"url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3"
},
{
"url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605"
},
{
"url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab"
},
{
"url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95"
},
{
"url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af"
}
],
"title": "nfs: fix UAF in direct writes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26958",
"datePublished": "2024-05-01T05:19:04.069Z",
"dateReserved": "2024-02-19T14:20:24.200Z",
"dateUpdated": "2026-05-12T11:50:48.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26960 (GCVE-0-2024-26960)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:19 – Updated: 2026-05-12 11:50
VLAI
EPSS
Title
mm: swap: fix race between free_swap_and_cache() and swapoff()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: swap: fix race between free_swap_and_cache() and swapoff()
There was previously a theoretical window where swapoff() could run and
teardown a swap_info_struct while a call to free_swap_and_cache() was
running in another thread. This could cause, amongst other bad
possibilities, swap_page_trans_huge_swapped() (called by
free_swap_and_cache()) to access the freed memory for swap_map.
This is a theoretical problem and I haven't been able to provoke it from a
test case. But there has been agreement based on code review that this is
possible (see link below).
Fix it by using get_swap_device()/put_swap_device(), which will stall
swapoff(). There was an extra check in _swap_info_get() to confirm that
the swap entry was not free. This isn't present in get_swap_device()
because it doesn't make sense in general due to the race between getting
the reference and swapoff. So I've added an equivalent check directly in
free_swap_and_cache().
Details of how to provoke one possible issue (thanks to David Hildenbrand
for deriving this):
--8<-----
__swap_entry_free() might be the last user and result in
"count == SWAP_HAS_CACHE".
swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.
So the question is: could someone reclaim the folio and turn
si->inuse_pages==0, before we completed swap_page_trans_huge_swapped().
Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are
still references by swap entries.
Process 1 still references subpage 0 via swap entry.
Process 2 still references subpage 1 via swap entry.
Process 1 quits. Calls free_swap_and_cache().
-> count == SWAP_HAS_CACHE
[then, preempted in the hypervisor etc.]
Process 2 quits. Calls free_swap_and_cache().
-> count == SWAP_HAS_CACHE
Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls
__try_to_reclaim_swap().
__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->
put_swap_folio()->free_swap_slot()->swapcache_free_entries()->
swap_entry_free()->swap_range_free()->
...
WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);
What stops swapoff to succeed after process 2 reclaimed the swap cache
but before process1 finished its call to swap_page_trans_huge_swapped()?
--8<-----
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
9 references
Impacted products
19 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < d85c11c97ecf92d47a4b29e3faca714dc1f18d0d
(git)
Affected: 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < 2da5568ee222ce0541bfe446a07998f92ed1643e (git) Affected: 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < 1ede7f1d7eed1738d1b9333fd1e152ccb450b86a (git) Affected: 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < 0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a (git) Affected: 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < 3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39 (git) Affected: 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < 363d17e7f7907c8e27a9e86968af0eaa2301787b (git) Affected: 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e , < 82b1c07a0af603e3c47b906c8e991dc96f01688e (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.154 , ≤ 5.15.* (semver) Unaffected: 6.1.84 , ≤ 6.1.* (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < d85c11c97ecf
(custom)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < 2da5568ee222
(custom)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < 1ede7f1d7eed
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < 0f98f6d2fb5f
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < 3ce4c4c653e4
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < 363d17e7f790
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
7c00bafee87c , < 82b1c07a0af6
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
5.10.215 , < 5.11
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
6.1.84 , < 6.2
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
6.6.24 , < 6.7
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
6.8.3 , < 6.9
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
6.9
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
0 , < 4.11
(custom)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Affected:
4.11
cpe:2.3:o:linux:linux_kernel:4.11:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
5.15.154 , < 5.16
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| linux | linux_kernel |
Unaffected:
6.7.12 , < 6.8
(custom)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "d85c11c97ecf",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "2da5568ee222",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "1ede7f1d7eed",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "0f98f6d2fb5f",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "3ce4c4c653e4",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "363d17e7f790",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "82b1c07a0af6",
"status": "affected",
"version": "7c00bafee87c",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.11",
"status": "unaffected",
"version": "5.10.215",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.2",
"status": "unaffected",
"version": "6.1.84",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.7",
"status": "unaffected",
"version": "6.6.24",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.9",
"status": "unaffected",
"version": "6.8.3",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.9"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:4.11:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "4.11"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.16",
"status": "unaffected",
"version": "5.15.154",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.8",
"status": "unaffected",
"version": "6.7.12",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T21:09:23.358079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T21:09:44.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:06.048Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:50:50.097Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d85c11c97ecf92d47a4b29e3faca714dc1f18d0d",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
},
{
"lessThan": "2da5568ee222ce0541bfe446a07998f92ed1643e",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
},
{
"lessThan": "1ede7f1d7eed1738d1b9333fd1e152ccb450b86a",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
},
{
"lessThan": "0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
},
{
"lessThan": "3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
},
{
"lessThan": "363d17e7f7907c8e27a9e86968af0eaa2301787b",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
},
{
"lessThan": "82b1c07a0af603e3c47b906c8e991dc96f01688e",
"status": "affected",
"version": "7c00bafee87c7bac7ed9eced7c161f8e5332cb4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven\u0027t been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn\u0027t present in get_swap_device()\nbecause it doesn\u0027t make sense in general due to the race between getting\nthe reference and swapoff. So I\u0027ve added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8\u003c-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff-\u003etry_to_unuse() will stop as soon as soon as si-\u003einuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi-\u003einuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-\u003e count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-\u003e count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()-\u003efolio_free_swap()-\u003edelete_from_swap_cache()-\u003e\nput_swap_folio()-\u003efree_swap_slot()-\u003eswapcache_free_entries()-\u003e\nswap_entry_free()-\u003eswap_range_free()-\u003e\n...\nWRITE_ONCE(si-\u003einuse_pages, si-\u003einuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8\u003c-----"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:07:42.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d"
},
{
"url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e"
},
{
"url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a"
},
{
"url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a"
},
{
"url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39"
},
{
"url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b"
},
{
"url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e"
}
],
"title": "mm: swap: fix race between free_swap_and_cache() and swapoff()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26960",
"datePublished": "2024-05-01T05:19:12.112Z",
"dateReserved": "2024-02-19T14:20:24.201Z",
"dateUpdated": "2026-05-12T11:50:50.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…