Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-1032
Vulnerability from certfr_avis - Published: 2024-11-29 - Updated: 2024-11-29
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - TUS 8.8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - TUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV 9 x86_64 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-36889",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36889"
},
{
"name": "CVE-2022-48786",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48786"
},
{
"name": "CVE-2024-41009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41009"
},
{
"name": "CVE-2024-40988",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40988"
},
{
"name": "CVE-2024-26961",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26961"
},
{
"name": "CVE-2024-26671",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26671"
},
{
"name": "CVE-2023-52489",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52489"
},
{
"name": "CVE-2022-48929",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48929"
},
{
"name": "CVE-2021-47461",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47461"
},
{
"name": "CVE-2024-27043",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27043"
},
{
"name": "CVE-2024-27399",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27399"
},
{
"name": "CVE-2024-42244",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42244"
},
{
"name": "CVE-2024-50226",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50226"
},
{
"name": "CVE-2022-48773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48773"
},
{
"name": "CVE-2024-31076",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31076"
},
{
"name": "CVE-2022-0500",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0500"
},
{
"name": "CVE-2024-35823",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35823"
},
{
"name": "CVE-2021-4204",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4204"
},
{
"name": "CVE-2024-38564",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38564"
},
{
"name": "CVE-2024-41014",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41014"
},
{
"name": "CVE-2022-48686",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48686"
},
{
"name": "CVE-2024-41023",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41023"
},
{
"name": "CVE-2023-0597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0597"
},
{
"name": "CVE-2024-36920",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36920"
},
{
"name": "CVE-2021-47393",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47393"
},
{
"name": "CVE-2022-23222",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23222"
},
{
"name": "CVE-2024-46858",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46858"
}
],
"initial_release_date": "2024-11-29T00:00:00",
"last_revision_date": "2024-11-29T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1032",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-11-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10274",
"url": "https://access.redhat.com/errata/RHSA-2024:10274"
},
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10273",
"url": "https://access.redhat.com/errata/RHSA-2024:10273"
},
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10265",
"url": "https://access.redhat.com/errata/RHSA-2024:10265"
},
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10262",
"url": "https://access.redhat.com/errata/RHSA-2024:10262"
},
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10275",
"url": "https://access.redhat.com/errata/RHSA-2024:10275"
},
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10281",
"url": "https://access.redhat.com/errata/RHSA-2024:10281"
},
{
"published_at": "2024-11-26",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10282",
"url": "https://access.redhat.com/errata/RHSA-2024:10282"
}
]
}
CVE-2023-52489 (GCVE-0-2023-52489)
Vulnerability from cvelistv5 – Published: 2024-02-29 15:52 – Updated: 2026-05-11 19:28
VLAI
EPSS
Title
mm/sparsemem: fix race in accessing memory_section->usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/sparsemem: fix race in accessing memory_section->usage
The below race is observed on a PFN which falls into the device memory
region with the system memory configuration where PFN's are such that
[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end
pfn contains the device memory PFN's as well, the compaction triggered
will try on the device memory PFN's too though they end up in NOP(because
pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When
from other core, the section mappings are being removed for the
ZONE_DEVICE region, that the PFN in question belongs to, on which
compaction is currently being operated is resulting into the kernel crash
with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].
compact_zone() memunmap_pages
------------- ---------------
__pageblock_pfn_to_page
......
(a)pfn_valid():
valid_section()//return true
(b)__remove_pages()->
sparse_remove_section()->
section_deactivate():
[Free the array ms->usage and set
ms->usage = NULL]
pfn_section_valid()
[Access ms->usage which
is NULL]
NOTE: From the above it can be said that the race is reduced to between
the pfn_valid()/pfn_section_valid() and the section deactivate with
SPASEMEM_VMEMAP enabled.
The commit b943f045a9af("mm/sparse: fix kernel crash with
pfn_section_valid check") tried to address the same problem by clearing
the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns
false thus ms->usage is not accessed.
Fix this issue by the below steps:
a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.
b) RCU protected read side critical section will either return NULL
when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.
c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No
attempt will be made to access ->usage after this as the
SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.
Thanks to David/Pavan for their inputs on this patch.
[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/
On Snapdragon SoC, with the mentioned memory configuration of PFN's as
[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of
issues daily while testing on a device farm.
For this particular issue below is the log. Though the below log is
not directly pointing to the pfn_section_valid(){ ms->usage;}, when we
loaded this dump on T32 lauterbach tool, it is pointing.
[ 540.578056] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
[ 540.578068] Mem abort info:
[ 540.578070] ESR = 0x0000000096000005
[ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits
[ 540.578077] SET = 0, FnV = 0
[ 540.578080] EA = 0, S1PTW = 0
[ 540.578082] FSC = 0x05: level 1 translation fault
[ 540.578085] Data abort info:
[ 540.578086] ISV = 0, ISS = 0x00000005
[ 540.578088] CM = 0, WnR = 0
[ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)
[ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c
[ 540.579454] lr : compact_zone+0x994/0x1058
[ 540.579460] sp : ffffffc03579b510
[ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c
[ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640
[ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000
[ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140
[ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff
[ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001
[ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440
[ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4
[ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000
---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f46edbd1b1516da1fb34c917775168d5df576f78 , < 90ad17575d26874287271127d43ef3c2af876cea
(git)
Affected: f46edbd1b1516da1fb34c917775168d5df576f78 , < b448de2459b6d62a53892487ab18b7d823ff0529 (git) Affected: f46edbd1b1516da1fb34c917775168d5df576f78 , < 68ed9e33324021e9d6b798e9db00ca3093d2012a (git) Affected: f46edbd1b1516da1fb34c917775168d5df576f78 , < 70064241f2229f7ba7b9599a98f68d9142e81a97 (git) Affected: f46edbd1b1516da1fb34c917775168d5df576f78 , < 3a01daace71b521563c38bbbf874e14c3e58adb7 (git) Affected: f46edbd1b1516da1fb34c917775168d5df576f78 , < 5ec8e8ea8b7783fab150cf86404fc38cb4db8800 (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 5.10.210 , ≤ 5.10.* (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.76 , ≤ 6.1.* (semver) Unaffected: 6.6.15 , ≤ 6.6.* (semver) Unaffected: 6.7.3 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T14:56:15.828991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:22:46.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:20.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mmzone.h",
"mm/sparse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ad17575d26874287271127d43ef3c2af876cea",
"status": "affected",
"version": "f46edbd1b1516da1fb34c917775168d5df576f78",
"versionType": "git"
},
{
"lessThan": "b448de2459b6d62a53892487ab18b7d823ff0529",
"status": "affected",
"version": "f46edbd1b1516da1fb34c917775168d5df576f78",
"versionType": "git"
},
{
"lessThan": "68ed9e33324021e9d6b798e9db00ca3093d2012a",
"status": "affected",
"version": "f46edbd1b1516da1fb34c917775168d5df576f78",
"versionType": "git"
},
{
"lessThan": "70064241f2229f7ba7b9599a98f68d9142e81a97",
"status": "affected",
"version": "f46edbd1b1516da1fb34c917775168d5df576f78",
"versionType": "git"
},
{
"lessThan": "3a01daace71b521563c38bbbf874e14c3e58adb7",
"status": "affected",
"version": "f46edbd1b1516da1fb34c917775168d5df576f78",
"versionType": "git"
},
{
"lessThan": "5ec8e8ea8b7783fab150cf86404fc38cb4db8800",
"status": "affected",
"version": "f46edbd1b1516da1fb34c917775168d5df576f78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mmzone.h",
"mm/sparse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/sparsemem: fix race in accessing memory_section-\u003eusage\n\nThe below race is observed on a PFN which falls into the device memory\nregion with the system memory configuration where PFN\u0027s are such that\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end\npfn contains the device memory PFN\u0027s as well, the compaction triggered\nwill try on the device memory PFN\u0027s too though they end up in NOP(because\npfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When\nfrom other core, the section mappings are being removed for the\nZONE_DEVICE region, that the PFN in question belongs to, on which\ncompaction is currently being operated is resulting into the kernel crash\nwith CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1].\n\ncompact_zone()\t\t\tmemunmap_pages\n-------------\t\t\t---------------\n__pageblock_pfn_to_page\n ......\n (a)pfn_valid():\n valid_section()//return true\n\t\t\t (b)__remove_pages()-\u003e\n\t\t\t\t sparse_remove_section()-\u003e\n\t\t\t\t section_deactivate():\n\t\t\t\t [Free the array ms-\u003eusage and set\n\t\t\t\t ms-\u003eusage = NULL]\n pfn_section_valid()\n [Access ms-\u003eusage which\n is NULL]\n\nNOTE: From the above it can be said that the race is reduced to between\nthe pfn_valid()/pfn_section_valid() and the section deactivate with\nSPASEMEM_VMEMAP enabled.\n\nThe commit b943f045a9af(\"mm/sparse: fix kernel crash with\npfn_section_valid check\") tried to address the same problem by clearing\nthe SECTION_HAS_MEM_MAP with the expectation of valid_section() returns\nfalse thus ms-\u003eusage is not accessed.\n\nFix this issue by the below steps:\n\na) Clear SECTION_HAS_MEM_MAP before freeing the -\u003eusage.\n\nb) RCU protected read side critical section will either return NULL\n when SECTION_HAS_MEM_MAP is cleared or can successfully access -\u003eusage.\n\nc) Free the -\u003eusage with kfree_rcu() and set ms-\u003eusage = NULL. No\n attempt will be made to access -\u003eusage after this as the\n SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.\n\nThanks to David/Pavan for their inputs on this patch.\n\n[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/\n\nOn Snapdragon SoC, with the mentioned memory configuration of PFN\u0027s as\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of\nissues daily while testing on a device farm.\n\nFor this particular issue below is the log. Though the below log is\nnot directly pointing to the pfn_section_valid(){ ms-\u003eusage;}, when we\nloaded this dump on T32 lauterbach tool, it is pointing.\n\n[ 540.578056] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n[ 540.578068] Mem abort info:\n[ 540.578070] ESR = 0x0000000096000005\n[ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 540.578077] SET = 0, FnV = 0\n[ 540.578080] EA = 0, S1PTW = 0\n[ 540.578082] FSC = 0x05: level 1 translation fault\n[ 540.578085] Data abort info:\n[ 540.578086] ISV = 0, ISS = 0x00000005\n[ 540.578088] CM = 0, WnR = 0\n[ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)\n[ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c\n[ 540.579454] lr : compact_zone+0x994/0x1058\n[ 540.579460] sp : ffffffc03579b510\n[ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c\n[ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640\n[ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000\n[ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140\n[ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff\n[ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001\n[ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440\n[ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4\n[ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:28:19.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea"
},
{
"url": "https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529"
},
{
"url": "https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a"
},
{
"url": "https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97"
},
{
"url": "https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7"
},
{
"url": "https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800"
}
],
"title": "mm/sparsemem: fix race in accessing memory_section-\u003eusage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52489",
"datePublished": "2024-02-29T15:52:08.718Z",
"dateReserved": "2024-02-20T12:30:33.302Z",
"dateUpdated": "2026-05-11T19:28:19.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26671 (GCVE-0-2024-26671)
Vulnerability from cvelistv5 – Published: 2024-04-02 06:49 – Updated: 2026-05-11 20:01
VLAI
EPSS
Title
blk-mq: fix IO hang from sbitmap wakeup race
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix IO hang from sbitmap wakeup race
In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered
with the following blk_mq_get_driver_tag() in case of getting driver
tag failure.
Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe
the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime
blk_mq_mark_tag_wait() can't get driver tag successfully.
This issue can be reproduced by running the following test in loop, and
fio hang can be observed in < 30min when running it on my test VM
in laptop.
modprobe -r scsi_debug
modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4
dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`
fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \
--runtime=100 --numjobs=40 --time_based --name=test \
--ioengine=libaio
Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which
is just fine in case of running out of tag.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
da55f2cc78418dee88400aafbbaed19d7ac8188e , < 9525b38180e2753f0daa1a522b7767a2aa969676
(git)
Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10 (git) Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < 7610ba1319253225a9ba8a9d28d472fc883b4e2f (git) Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < 89e0e66682e1538aeeaa3109503473663cd24c8b (git) Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < 1d9c777d3e70bdc57dddf7a14a80059d65919e56 (git) Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < 6d8b01624a2540336a32be91f25187a433af53a0 (git) Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < f1bc0d8163f8ee84a8d5affdf624cfad657df1d2 (git) Affected: da55f2cc78418dee88400aafbbaed19d7ac8188e , < 5266caaf5660529e3da53004b8b7174cab6374ed (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 4.19.307 , ≤ 4.19.* (semver) Unaffected: 5.4.269 , ≤ 5.4.* (semver) Unaffected: 5.10.210 , ≤ 5.10.* (semver) Unaffected: 5.15.149 , ≤ 5.15.* (semver) Unaffected: 6.1.77 , ≤ 6.1.* (semver) Unaffected: 6.6.16 , ≤ 6.6.* (semver) Unaffected: 6.7.4 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26671",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:53:32.693372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:37.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9525b38180e2753f0daa1a522b7767a2aa969676",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "7610ba1319253225a9ba8a9d28d472fc883b4e2f",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "89e0e66682e1538aeeaa3109503473663cd24c8b",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "1d9c777d3e70bdc57dddf7a14a80059d65919e56",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "6d8b01624a2540336a32be91f25187a433af53a0",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "f1bc0d8163f8ee84a8d5affdf624cfad657df1d2",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
},
{
"lessThan": "5266caaf5660529e3da53004b8b7174cab6374ed",
"status": "affected",
"version": "da55f2cc78418dee88400aafbbaed19d7ac8188e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.77",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.16",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can\u0027t get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in \u003c 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:01:56.325Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676"
},
{
"url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10"
},
{
"url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f"
},
{
"url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b"
},
{
"url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56"
},
{
"url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0"
},
{
"url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2"
},
{
"url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed"
}
],
"title": "blk-mq: fix IO hang from sbitmap wakeup race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26671",
"datePublished": "2024-04-02T06:49:13.834Z",
"dateReserved": "2024-02-19T14:20:24.150Z",
"dateUpdated": "2026-05-11T20:01:56.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26961 (GCVE-0-2024-26961)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:19 – Updated: 2026-05-12 11:50
VLAI
EPSS
Title
mac802154: fix llsec key resources release in mac802154_llsec_key_del
Summary
In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix llsec key resources release in mac802154_llsec_key_del
mac802154_llsec_key_del() can free resources of a key directly without
following the RCU rules for waiting before the end of a grace period. This
may lead to use-after-free in case llsec_lookup_key() is traversing the
list of keys in parallel with a key deletion:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0
Modules linked in:
CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x162/0x2a0
Call Trace:
<TASK>
llsec_lookup_key.isra.0+0x890/0x9e0
mac802154_llsec_encrypt+0x30c/0x9c0
ieee802154_subif_start_xmit+0x24/0x1e0
dev_hard_start_xmit+0x13e/0x690
sch_direct_xmit+0x2ae/0xbc0
__dev_queue_xmit+0x11dd/0x3c20
dgram_sendmsg+0x90b/0xd60
__sys_sendto+0x466/0x4c0
__x64_sys_sendto+0xe0/0x1c0
do_syscall_64+0x45/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Also, ieee802154_llsec_key_entry structures are not freed by
mac802154_llsec_key_del():
unreferenced object 0xffff8880613b6980 (size 64):
comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)
hex dump (first 32 bytes):
78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......".......
00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................
backtrace:
[<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0
[<ffffffff81c43865>] kmalloc_trace+0x25/0xc0
[<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0
[<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80
[<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0
[<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0
[<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0
[<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440
[<ffffffff86ff1d88>] genl_rcv+0x28/0x40
[<ffffffff86fec15c>] netlink_unicast+0x53c/0x820
[<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60
[<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0
[<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0
[<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0
[<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0
[<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
Handle the proper resource release in the RCU callback function
mac802154_llsec_key_del_rcu().
Note that if llsec_lookup_key() finds a key, it gets a refcount via
llsec_key_get() and locally copies key id from key_entry (which is a
list element). So it's safe to call llsec_key_put() and free the list
entry after the RCU grace period elapses.
Found by Linux Verification Center (linuxtesting.org).
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
9 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5d637d5aabd85132bd85779677d8acb708e0ed90 , < 068ab2759bc0b4daf0b964de61b2731449c86531
(git)
Affected: 5d637d5aabd85132bd85779677d8acb708e0ed90 , < d3d858650933d44ac12c1f31337e7110c2071821 (git) Affected: 5d637d5aabd85132bd85779677d8acb708e0ed90 , < dcd51ab42b7a0431575689c5f74b8b6efd45fc2f (git) Affected: 5d637d5aabd85132bd85779677d8acb708e0ed90 , < 20d3e1c8a1847497269f04d874b2a5818ec29e2d (git) Affected: 5d637d5aabd85132bd85779677d8acb708e0ed90 , < 640297c3e897bd7e1481466a6a5cb9560f1edb88 (git) Affected: 5d637d5aabd85132bd85779677d8acb708e0ed90 , < 49c8951680d7b76fceaee89dcfbab1363fb24fd1 (git) Affected: 5d637d5aabd85132bd85779677d8acb708e0ed90 , < e8a1e58345cf40b7b272e08ac7b32328b2543e40 (git) |
|
| Linux | Linux |
Affected:
3.16
Unaffected: 0 , < 3.16 (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.154 , ≤ 5.15.* (semver) Unaffected: 6.1.84 , ≤ 6.1.* (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T17:51:17.536237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:15.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:50:51.260Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/cfg802154.h",
"net/mac802154/llsec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "068ab2759bc0b4daf0b964de61b2731449c86531",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
},
{
"lessThan": "d3d858650933d44ac12c1f31337e7110c2071821",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
},
{
"lessThan": "dcd51ab42b7a0431575689c5f74b8b6efd45fc2f",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
},
{
"lessThan": "20d3e1c8a1847497269f04d874b2a5818ec29e2d",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
},
{
"lessThan": "640297c3e897bd7e1481466a6a5cb9560f1edb88",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
},
{
"lessThan": "49c8951680d7b76fceaee89dcfbab1363fb24fd1",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
},
{
"lessThan": "e8a1e58345cf40b7b272e08ac7b32328b2543e40",
"status": "affected",
"version": "5d637d5aabd85132bd85779677d8acb708e0ed90",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/cfg802154.h",
"net/mac802154/llsec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \u003cTASK\u003e\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [\u003cffffffff81dcfa62\u003e] __kmem_cache_alloc_node+0x1e2/0x2d0\n [\u003cffffffff81c43865\u003e] kmalloc_trace+0x25/0xc0\n [\u003cffffffff88968b09\u003e] mac802154_llsec_key_add+0xac9/0xcf0\n [\u003cffffffff8896e41a\u003e] ieee802154_add_llsec_key+0x5a/0x80\n [\u003cffffffff8892adc6\u003e] nl802154_add_llsec_key+0x426/0x5b0\n [\u003cffffffff86ff293e\u003e] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [\u003cffffffff86ff46d1\u003e] genl_rcv_msg+0x531/0x7d0\n [\u003cffffffff86fee7a9\u003e] netlink_rcv_skb+0x169/0x440\n [\u003cffffffff86ff1d88\u003e] genl_rcv+0x28/0x40\n [\u003cffffffff86fec15c\u003e] netlink_unicast+0x53c/0x820\n [\u003cffffffff86fecd8b\u003e] netlink_sendmsg+0x93b/0xe60\n [\u003cffffffff86b91b35\u003e] ____sys_sendmsg+0xac5/0xca0\n [\u003cffffffff86b9c3dd\u003e] ___sys_sendmsg+0x11d/0x1c0\n [\u003cffffffff86b9c65a\u003e] __sys_sendmsg+0xfa/0x1d0\n [\u003cffffffff88eadbf5\u003e] do_syscall_64+0x45/0xf0\n [\u003cffffffff890000ea\u003e] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it\u0027s safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:07:44.061Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"
},
{
"url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"
},
{
"url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"
},
{
"url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"
},
{
"url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"
},
{
"url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"
},
{
"url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"
}
],
"title": "mac802154: fix llsec key resources release in mac802154_llsec_key_del",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26961",
"datePublished": "2024-05-01T05:19:16.361Z",
"dateReserved": "2024-02-19T14:20:24.201Z",
"dateUpdated": "2026-05-12T11:50:51.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27043 (GCVE-0-2024-27043)
Vulnerability from cvelistv5 – Published: 2024-05-01 12:54 – Updated: 2026-05-11 20:09
VLAI
EPSS
Title
media: edia: dvbdev: fix a use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: edia: dvbdev: fix a use-after-free
In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed
in several error-handling paths. However, *pdvbdev is not set to NULL
after dvbdev's deallocation, causing use-after-frees in many places,
for example, in the following call chain:
budget_register
|-> dvb_dmxdev_init
|-> dvb_register_device
|-> dvb_dmxdev_release
|-> dvb_unregister_device
|-> dvb_remove_device
|-> dvb_device_put
|-> kref_put
When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in
dvb_register_device) could point to memory that had been freed in
dvb_register_device. Thereafter, this pointer is transferred to
kref_put and triggering a use-after-free.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b61901024776b25ce7b8edc31bb1757c7382a88e , < d0f5c28333822f9baa5280d813124920720fd856
(git)
Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < f20c3270f3ed5aa6919a87e4de9bf6c05fb57086 (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < 096237039d00c839f3e3a5fe6d001bf0db45b644 (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < 0d3fe80b6d175c220b3e252efc6c6777e700e98e (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < 437a111f79a2f5b2a5f21e27fdec6f40c8768712 (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < 779e8db7efb22316c8581d6c229636d2f5694a62 (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < 35674111a043b0482a9bc69da8850a83f465b07d (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < b7586e902128e4fb7bfbb661cb52e4215a65637b (git) Affected: b61901024776b25ce7b8edc31bb1757c7382a88e , < 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 (git) |
|
| Linux | Linux |
Affected:
2.6.21
Unaffected: 0 , < 2.6.21 (semver) Unaffected: 4.19.311 , ≤ 4.19.* (semver) Unaffected: 5.4.273 , ≤ 5.4.* (semver) Unaffected: 5.10.214 , ≤ 5.10.* (semver) Unaffected: 5.15.153 , ≤ 5.15.* (semver) Unaffected: 6.1.83 , ≤ 6.1.* (semver) Unaffected: 6.6.23 , ≤ 6.6.* (semver) Unaffected: 6.7.11 , ≤ 6.7.* (semver) Unaffected: 6.8.2 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d0f5c28333822f9baa5280d813124920720fd856"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f20c3270f3ed5aa6919a87e4de9bf6c05fb57086"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/096237039d00c839f3e3a5fe6d001bf0db45b644"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d3fe80b6d175c220b3e252efc6c6777e700e98e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/437a111f79a2f5b2a5f21e27fdec6f40c8768712"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/779e8db7efb22316c8581d6c229636d2f5694a62"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/35674111a043b0482a9bc69da8850a83f465b07d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b7586e902128e4fb7bfbb661cb52e4215a65637b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-15T19:22:34.576999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T19:22:42.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0f5c28333822f9baa5280d813124920720fd856",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "f20c3270f3ed5aa6919a87e4de9bf6c05fb57086",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "096237039d00c839f3e3a5fe6d001bf0db45b644",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "0d3fe80b6d175c220b3e252efc6c6777e700e98e",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "437a111f79a2f5b2a5f21e27fdec6f40c8768712",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "779e8db7efb22316c8581d6c229636d2f5694a62",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "35674111a043b0482a9bc69da8850a83f465b07d",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "b7586e902128e4fb7bfbb661cb52e4215a65637b",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
},
{
"lessThan": "8c64f4cdf4e6cc5682c52523713af8c39c94e6d5",
"status": "affected",
"version": "b61901024776b25ce7b8edc31bb1757c7382a88e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-core/dvbdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.21"
},
{
"lessThan": "2.6.21",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.214",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.311",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.273",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.214",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.153",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.83",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.23",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.11",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "2.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "2.6.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: edia: dvbdev: fix a use-after-free\n\nIn dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed\nin several error-handling paths. However, *pdvbdev is not set to NULL\nafter dvbdev\u0027s deallocation, causing use-after-frees in many places,\nfor example, in the following call chain:\n\nbudget_register\n |-\u003e dvb_dmxdev_init\n |-\u003e dvb_register_device\n |-\u003e dvb_dmxdev_release\n |-\u003e dvb_unregister_device\n |-\u003e dvb_remove_device\n |-\u003e dvb_device_put\n |-\u003e kref_put\n\nWhen calling dvb_unregister_device, dmxdev-\u003edvbdev (i.e. *pdvbdev in\ndvb_register_device) could point to memory that had been freed in\ndvb_register_device. Thereafter, this pointer is transferred to\nkref_put and triggering a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:09:17.969Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0f5c28333822f9baa5280d813124920720fd856"
},
{
"url": "https://git.kernel.org/stable/c/f20c3270f3ed5aa6919a87e4de9bf6c05fb57086"
},
{
"url": "https://git.kernel.org/stable/c/096237039d00c839f3e3a5fe6d001bf0db45b644"
},
{
"url": "https://git.kernel.org/stable/c/0d3fe80b6d175c220b3e252efc6c6777e700e98e"
},
{
"url": "https://git.kernel.org/stable/c/437a111f79a2f5b2a5f21e27fdec6f40c8768712"
},
{
"url": "https://git.kernel.org/stable/c/779e8db7efb22316c8581d6c229636d2f5694a62"
},
{
"url": "https://git.kernel.org/stable/c/35674111a043b0482a9bc69da8850a83f465b07d"
},
{
"url": "https://git.kernel.org/stable/c/b7586e902128e4fb7bfbb661cb52e4215a65637b"
},
{
"url": "https://git.kernel.org/stable/c/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5"
}
],
"title": "media: edia: dvbdev: fix a use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-27043",
"datePublished": "2024-05-01T12:54:11.197Z",
"dateReserved": "2024-02-19T14:20:24.212Z",
"dateUpdated": "2026-05-11T20:09:17.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27399 (GCVE-0-2024-27399)
Vulnerability from cvelistv5 – Published: 2024-05-13 10:24 – Updated: 2026-05-11 20:10
VLAI
EPSS
Title
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
There is a race condition between l2cap_chan_timeout() and
l2cap_chan_del(). When we use l2cap_chan_del() to delete the
channel, the chan->conn will be set to null. But the conn could
be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
As a result the null pointer dereference bug will happen. The
KASAN report triggered by POC is shown below:
[ 472.074580] ==================================================================
[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
[ 472.075308]
[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.075308] Workqueue: events l2cap_chan_timeout
[ 472.075308] Call Trace:
[ 472.075308] <TASK>
[ 472.075308] dump_stack_lvl+0x137/0x1a0
[ 472.075308] print_report+0x101/0x250
[ 472.075308] ? __virt_addr_valid+0x77/0x160
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_report+0x139/0x170
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_check_range+0x2c3/0x2e0
[ 472.075308] mutex_lock+0x68/0xc0
[ 472.075308] l2cap_chan_timeout+0x181/0x300
[ 472.075308] process_one_work+0x5d2/0xe00
[ 472.075308] worker_thread+0xe1d/0x1660
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] kthread+0x2b7/0x350
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork+0x4d/0x80
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork_asm+0x11/0x20
[ 472.075308] </TASK>
[ 472.075308] ==================================================================
[ 472.094860] Disabling lock debugging due to kernel taint
[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 472.096136] #PF: supervisor write access in kernel mode
[ 472.096136] #PF: error_code(0x0002) - not-present page
[ 472.096136] PGD 0 P4D 0
[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.096136] Workqueue: events l2cap_chan_timeout
[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
[ 472.096136] Call Trace:
[ 472.096136] <TASK>
[ 472.096136] ? __die_body+0x8d/0xe0
[ 472.096136] ? page_fault_oops+0x6b8/0x9a0
[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0
[ 472.096136] ? do_user_addr_fault+0x1027/0x1340
[ 472.096136] ? _printk+0x7a/0xa0
[ 472.096136] ? mutex_lock+0x68/0xc0
[ 472.096136] ? add_taint+0x42/0xd0
[ 472.096136] ? exc_page_fault+0x6a/0x1b0
[ 472.096136] ? asm_exc_page_fault+0x26/0x30
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] ? mutex_lock+0x88/0xc0
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] l2cap_chan_timeo
---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
13 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3df91ea20e744344100b10ae69a17211fcf5b207 , < e137e2ba96e51902dc2878131823a96bf8e638ae
(git)
Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 6466ee65e5b27161c846c73ef407f49dfa1bd1d9 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 06acb75e7ed600d0bbf7bff5628aa8f24a97978c (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < e97e16433eb4533083b096a3824b93a5ca3aee79 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 8960ff650aec70485b40771cd8e6e8c4cb467d33 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < 955b5b6c54d95b5e7444dfc81c95c8e013f27ac0 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < eb86f955488c39526534211f2610e48a5cf8ead4 (git) Affected: 3df91ea20e744344100b10ae69a17211fcf5b207 , < adf0398cee86643b8eacde95f17d073d022f782c (git) |
|
| Linux | Linux |
Affected:
3.4
Unaffected: 0 , < 3.4 (semver) Unaffected: 4.19.314 , ≤ 4.19.* (semver) Unaffected: 5.4.276 , ≤ 5.4.* (semver) Unaffected: 5.10.217 , ≤ 5.10.* (semver) Unaffected: 5.15.159 , ≤ 5.15.* (semver) Unaffected: 6.1.91 , ≤ 6.1.* (semver) Unaffected: 6.6.31 , ≤ 6.6.* (semver) Unaffected: 6.8.10 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T20:21:44.727650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:50.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-26T15:03:06.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240926-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e137e2ba96e51902dc2878131823a96bf8e638ae",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "6466ee65e5b27161c846c73ef407f49dfa1bd1d9",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "06acb75e7ed600d0bbf7bff5628aa8f24a97978c",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "e97e16433eb4533083b096a3824b93a5ca3aee79",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "8960ff650aec70485b40771cd8e6e8c4cb467d33",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "955b5b6c54d95b5e7444dfc81c95c8e013f27ac0",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "eb86f955488c39526534211f2610e48a5cf8ead4",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "adf0398cee86643b8eacde95f17d073d022f782c",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.314",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.217",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.314",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.276",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.217",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan-\u003econn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \u003cTASK\u003e\n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \u003c/TASK\u003e\n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \u003cTASK\u003e\n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:10:16.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae"
},
{
"url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9"
},
{
"url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c"
},
{
"url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79"
},
{
"url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33"
},
{
"url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0"
},
{
"url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4"
},
{
"url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c"
}
],
"title": "Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-27399",
"datePublished": "2024-05-13T10:24:57.045Z",
"dateReserved": "2024-02-25T13:47:42.681Z",
"dateUpdated": "2026-05-11T20:10:16.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31076 (GCVE-0-2024-31076)
Vulnerability from cvelistv5 – Published: 2024-06-21 10:18 – Updated: 2026-05-11 20:10
VLAI
EPSS
Title
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
Summary
In the Linux kernel, the following vulnerability has been resolved:
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
The absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of
interrupt affinity reconfiguration via procfs. Instead, the change is
deferred until the next instance of the interrupt being triggered on the
original CPU.
When the interrupt next triggers on the original CPU, the new affinity is
enforced within __irq_move_irq(). A vector is allocated from the new CPU,
but the old vector on the original CPU remains and is not immediately
reclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming
process is delayed until the next trigger of the interrupt on the new CPU.
Upon the subsequent triggering of the interrupt on the new CPU,
irq_complete_move() adds a task to the old CPU's vector_cleanup list if it
remains online. Subsequently, the timer on the old CPU iterates over its
vector_cleanup list, reclaiming old vectors.
However, a rare scenario arises if the old CPU is outgoing before the
interrupt triggers again on the new CPU.
In that case irq_force_complete_move() is not invoked on the outgoing CPU
to reclaim the old apicd->prev_vector because the interrupt isn't currently
affine to the outgoing CPU, and irq_needs_fixup() returns false. Even
though __vector_schedule_cleanup() is later called on the new CPU, it
doesn't reclaim apicd->prev_vector; instead, it simply resets both
apicd->move_in_progress and apicd->prev_vector to 0.
As a result, the vector remains unreclaimed in vector_matrix, leading to a
CPU vector leak.
To address this issue, move the invocation of irq_force_complete_move()
before the irq_needs_fixup() call to reclaim apicd->prev_vector, if the
interrupt is currently or used to be affine to the outgoing CPU.
Additionally, reclaim the vector in __vector_schedule_cleanup() as well,
following a warning message, although theoretically it should never see
apicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < a40209d355afe4ed6d533507838c9e5cd70a76d8
(git)
Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < f5f4675960609d8c5ee95f027fbf6ce380f98372 (git) Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < 6752dfcfff3ac3e16625ebd3f0ad9630900e7e76 (git) Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < 9eeda3e0071a329af1eba15f4e57dc39576bb420 (git) Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < e9c96d01d520498b169ce734a8ad1142bef86a30 (git) Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < 59f86a2908380d09cdc726461c0fbb8d8579c99f (git) Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < ebfb16fc057a016abb46a9720a54abf0d4f6abe1 (git) Affected: f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b , < a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32 (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 4.19.316 , ≤ 4.19.* (semver) Unaffected: 5.4.278 , ≤ 5.4.* (semver) Unaffected: 5.10.219 , ≤ 5.10.* (semver) Unaffected: 5.15.161 , ≤ 5.15.* (semver) Unaffected: 6.1.93 , ≤ 6.1.* (semver) Unaffected: 6.6.33 , ≤ 6.6.* (semver) Unaffected: 6.9.4 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:20:00.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:09:53.896904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:46.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/vector.c",
"kernel/irq/cpuhotplug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a40209d355afe4ed6d533507838c9e5cd70a76d8",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "f5f4675960609d8c5ee95f027fbf6ce380f98372",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "6752dfcfff3ac3e16625ebd3f0ad9630900e7e76",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "9eeda3e0071a329af1eba15f4e57dc39576bb420",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "e9c96d01d520498b169ce734a8ad1142bef86a30",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "59f86a2908380d09cdc726461c0fbb8d8579c99f",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "ebfb16fc057a016abb46a9720a54abf0d4f6abe1",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
},
{
"lessThan": "a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32",
"status": "affected",
"version": "f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/vector.c",
"kernel/irq/cpuhotplug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.278",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.219",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.316",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.278",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.219",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.93",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.4",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd-\u003emove_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU\u0027s vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd-\u003eprev_vector because the interrupt isn\u0027t currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn\u0027t reclaim apicd-\u003eprev_vector; instead, it simply resets both\napicd-\u003emove_in_progress and apicd-\u003eprev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd-\u003eprev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd-\u003emove_in_progress with apicd-\u003eprev_cpu pointing to an offline CPU."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:10:48.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8"
},
{
"url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372"
},
{
"url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76"
},
{
"url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420"
},
{
"url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30"
},
{
"url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f"
},
{
"url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1"
},
{
"url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32"
}
],
"title": "genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-31076",
"datePublished": "2024-06-21T10:18:04.335Z",
"dateReserved": "2024-06-21T10:13:16.276Z",
"dateUpdated": "2026-05-11T20:10:48.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35823 (GCVE-0-2024-35823)
Vulnerability from cvelistv5 – Published: 2024-05-17 13:23 – Updated: 2026-05-12 11:52
VLAI
EPSS
Title
vt: fix unicode buffer corruption when deleting characters
Summary
In the Linux kernel, the following vulnerability has been resolved:
vt: fix unicode buffer corruption when deleting characters
This is the same issue that was fixed for the VGA text buffer in commit
39cdb68c64d8 ("vt: fix memory overlapping when deleting chars in the
buffer"). The cure is also the same i.e. replace memcpy() with memmove()
due to the overlaping buffers.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
11 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
81732c3b2fede049a692e58a7ceabb6d18ffb18c , < fc7dfe3d123f00e720be80b920da287810a1f37d
(git)
Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < ff7342090c1e8c5a37015c89822a68b275b46f8a (git) Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < 1ce408f75ccf1e25b3fddef75cca878b55f2ac90 (git) Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < 0190d19d7651c08abc187dac3819c61b726e7e3f (git) Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < 994a1e583c0c206c8ca7d03334a65b79f4d8bc51 (git) Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < 7529cbd8b5f6697b369803fe1533612c039cabda (git) Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < 2933b1e4757a0a5c689cf48d80b1a2a85f237ff1 (git) Affected: 81732c3b2fede049a692e58a7ceabb6d18ffb18c , < 1581dafaf0d34bc9c428a794a22110d7046d186d (git) |
|
| Linux | Linux |
Affected:
3.7
Unaffected: 0 , < 3.7 (semver) Unaffected: 4.19.312 , ≤ 4.19.* (semver) Unaffected: 5.4.274 , ≤ 5.4.* (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.154 , ≤ 5.15.* (semver) Unaffected: 6.1.84 , ≤ 6.1.* (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-35823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T15:14:05.276566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T21:28:05.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:52:12.957Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc7dfe3d123f00e720be80b920da287810a1f37d",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "ff7342090c1e8c5a37015c89822a68b275b46f8a",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "1ce408f75ccf1e25b3fddef75cca878b55f2ac90",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "0190d19d7651c08abc187dac3819c61b726e7e3f",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "994a1e583c0c206c8ca7d03334a65b79f4d8bc51",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "7529cbd8b5f6697b369803fe1533612c039cabda",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "2933b1e4757a0a5c689cf48d80b1a2a85f237ff1",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
},
{
"lessThan": "1581dafaf0d34bc9c428a794a22110d7046d186d",
"status": "affected",
"version": "81732c3b2fede049a692e58a7ceabb6d18ffb18c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:11:40.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d"
},
{
"url": "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a"
},
{
"url": "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90"
},
{
"url": "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f"
},
{
"url": "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51"
},
{
"url": "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda"
},
{
"url": "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1"
},
{
"url": "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d"
}
],
"title": "vt: fix unicode buffer corruption when deleting characters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35823",
"datePublished": "2024-05-17T13:23:25.651Z",
"dateReserved": "2024-05-17T12:19:12.346Z",
"dateUpdated": "2026-05-12T11:52:12.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36889 (GCVE-0-2024-36889)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:28 – Updated: 2026-05-11 20:16
VLAI
EPSS
Title
mptcp: ensure snd_nxt is properly initialized on connect
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure snd_nxt is properly initialized on connect
Christoph reported a splat hinting at a corrupted snd_una:
WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005
Modules linked in:
CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005
Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8
8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe
<0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9
RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4
RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000
R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000
FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0
Call Trace:
<TASK>
__mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]
mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]
__mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615
mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767
process_one_work+0x1e0/0x560 kernel/workqueue.c:3254
process_scheduled_works kernel/workqueue.c:3335 [inline]
worker_thread+0x3c7/0x640 kernel/workqueue.c:3416
kthread+0x121/0x170 kernel/kthread.c:388
ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
When fallback to TCP happens early on a client socket, snd_nxt
is not yet initialized and any incoming ack will copy such value
into snd_una. If the mptcp worker (dumbly) tries mptcp-level
re-injection after such ack, that would unconditionally trigger a send
buffer cleanup using 'bad' snd_una values.
We could easily disable re-injection for fallback sockets, but such
dumb behavior already helped catching a few subtle issues and a very
low to zero impact in practice.
Instead address the issue always initializing snd_nxt (and write_seq,
for consistency) at connect time.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8fd738049ac3d67a937d36577763b47180aae1ad , < 99951b62bf20cec9247f633a3bea898338b9e5b4
(git)
Affected: 8fd738049ac3d67a937d36577763b47180aae1ad , < dc941fec0719d0471a5902424d6b2a17df233193 (git) Affected: 8fd738049ac3d67a937d36577763b47180aae1ad , < 39ca83ed73db9edcc6d70c0dc7a73085a4725012 (git) Affected: 8fd738049ac3d67a937d36577763b47180aae1ad , < aa0c07c1f20e05b30019bff083ec43665536f06f (git) Affected: 8fd738049ac3d67a937d36577763b47180aae1ad , < 592f69b41766d366dbb8ff4ef5a67c4396527bbe (git) Affected: 8fd738049ac3d67a937d36577763b47180aae1ad , < fb7a0d334894206ae35f023a82cad5a290fd7386 (git) |
|
| Linux | Linux |
Affected:
5.9
Unaffected: 0 , < 5.9 (semver) Unaffected: 5.10.218 , ≤ 5.10.* (semver) Unaffected: 5.15.159 , ≤ 5.15.* (semver) Unaffected: 6.1.91 , ≤ 6.1.* (semver) Unaffected: 6.6.31 , ≤ 6.6.* (semver) Unaffected: 6.8.10 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:29:56.745706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:33:02.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:49.113Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99951b62bf20cec9247f633a3bea898338b9e5b4",
"status": "affected",
"version": "8fd738049ac3d67a937d36577763b47180aae1ad",
"versionType": "git"
},
{
"lessThan": "dc941fec0719d0471a5902424d6b2a17df233193",
"status": "affected",
"version": "8fd738049ac3d67a937d36577763b47180aae1ad",
"versionType": "git"
},
{
"lessThan": "39ca83ed73db9edcc6d70c0dc7a73085a4725012",
"status": "affected",
"version": "8fd738049ac3d67a937d36577763b47180aae1ad",
"versionType": "git"
},
{
"lessThan": "aa0c07c1f20e05b30019bff083ec43665536f06f",
"status": "affected",
"version": "8fd738049ac3d67a937d36577763b47180aae1ad",
"versionType": "git"
},
{
"lessThan": "592f69b41766d366dbb8ff4ef5a67c4396527bbe",
"status": "affected",
"version": "8fd738049ac3d67a937d36577763b47180aae1ad",
"versionType": "git"
},
{
"lessThan": "fb7a0d334894206ae35f023a82cad5a290fd7386",
"status": "affected",
"version": "8fd738049ac3d67a937d36577763b47180aae1ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.218",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.218",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Modules linked in:\n CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Workqueue: events mptcp_worker\n RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n \t\u003c0f\u003e 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n Call Trace:\n \u003cTASK\u003e\n __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n process_scheduled_works kernel/workqueue.c:3335 [inline]\n worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n kthread+0x121/0x170 kernel/kthread.c:388\n ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n \u003c/TASK\u003e\n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using \u0027bad\u0027 snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:16:27.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4"
},
{
"url": "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193"
},
{
"url": "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012"
},
{
"url": "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f"
},
{
"url": "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe"
},
{
"url": "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386"
}
],
"title": "mptcp: ensure snd_nxt is properly initialized on connect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36889",
"datePublished": "2024-05-30T15:28:56.794Z",
"dateReserved": "2024-05-30T15:25:07.065Z",
"dateUpdated": "2026-05-11T20:16:27.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36920 (GCVE-0-2024-36920)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:29 – Updated: 2026-05-11 20:17
VLAI
EPSS
Title
scsi: mpi3mr: Avoid memcpy field-spanning write WARNING
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Avoid memcpy field-spanning write WARNING
When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driver
prints this WARNING message:
memcpy: detected field-spanning write (size 128) of single field "bsg_reply_buf->reply_buf" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)
WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]
The cause of the WARN is 128 bytes memcpy to the 1 byte size array "__u8
replay_buf[1]" in the struct mpi3mr_bsg_in_reply_buf. The array is intended
to be a flexible length array, so the WARN is a false positive.
To suppress the WARN, remove the constant number '1' from the array
declaration and clarify that it has flexible length. Also, adjust the
memory allocation size to match the change.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < 5f0266044dc611563539705bff0b3e1545fbb6aa
(git)
Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < f09318244c6cafd10aca741b9c01e0a2c362d43a (git) Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < 4d2772324f43cf5674ac3dbe3f74a7e656396716 (git) Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < 429846b4b6ce9853e0d803a2357bb2e55083adf0 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 6.1.91 , ≤ 6.1.* (semver) Unaffected: 6.6.31 , ≤ 6.6.* (semver) Unaffected: 6.8.10 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T18:22:06.427418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T18:22:15.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:49.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c",
"include/uapi/scsi/scsi_bsg_mpi3mr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f0266044dc611563539705bff0b3e1545fbb6aa",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "f09318244c6cafd10aca741b9c01e0a2c362d43a",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "4d2772324f43cf5674ac3dbe3f74a7e656396716",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "429846b4b6ce9853e0d803a2357bb2e55083adf0",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c",
"include/uapi/scsi/scsi_bsg_mpi3mr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf-\u003ereply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number \u00271\u0027 from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:17:03.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa"
},
{
"url": "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a"
},
{
"url": "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716"
},
{
"url": "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0"
}
],
"title": "scsi: mpi3mr: Avoid memcpy field-spanning write WARNING",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36920",
"datePublished": "2024-05-30T15:29:15.121Z",
"dateReserved": "2024-05-30T15:25:07.068Z",
"dateUpdated": "2026-05-11T20:17:03.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-38564 (GCVE-0-2024-38564)
Vulnerability from cvelistv5 – Published: 2024-06-19 13:35 – Updated: 2026-05-11 20:19
VLAI
EPSS
Title
bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE
bpf_prog_attach uses attach_type_to_prog_type to enforce proper
attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses
bpf_prog_get and relies on bpf_prog_attach_check_attach_type
to properly verify prog_type <> attach_type association.
Add missing attach_type enforcement for the link_create case.
Otherwise, it's currently possible to attach cgroup_skb prog
types to other cgroup hooks.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4a1e7c0c63e02daad751842b7880f9bbcdfb6e89 , < 6675c541f540a29487a802d3135280b69b9f568d
(git)
Affected: 4a1e7c0c63e02daad751842b7880f9bbcdfb6e89 , < 67929e973f5a347f05fef064fea4ae79e7cdb5fd (git) Affected: 4a1e7c0c63e02daad751842b7880f9bbcdfb6e89 , < b34bbc76651065a5eafad8ddff1eb8d1f8473172 (git) Affected: 4a1e7c0c63e02daad751842b7880f9bbcdfb6e89 , < 543576ec15b17c0c93301ac8297333c7b6e84ac7 (git) |
|
| Linux | Linux |
Affected:
5.10
Unaffected: 0 , < 5.10 (semver) Unaffected: 6.6.33 , ≤ 6.6.* (semver) Unaffected: 6.8.12 , ≤ 6.8.* (semver) Unaffected: 6.9.3 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-20T14:57:28.333210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T14:57:37.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6675c541f540a29487a802d3135280b69b9f568d",
"status": "affected",
"version": "4a1e7c0c63e02daad751842b7880f9bbcdfb6e89",
"versionType": "git"
},
{
"lessThan": "67929e973f5a347f05fef064fea4ae79e7cdb5fd",
"status": "affected",
"version": "4a1e7c0c63e02daad751842b7880f9bbcdfb6e89",
"versionType": "git"
},
{
"lessThan": "b34bbc76651065a5eafad8ddff1eb8d1f8473172",
"status": "affected",
"version": "4a1e7c0c63e02daad751842b7880f9bbcdfb6e89",
"versionType": "git"
},
{
"lessThan": "543576ec15b17c0c93301ac8297333c7b6e84ac7",
"status": "affected",
"version": "4a1e7c0c63e02daad751842b7880f9bbcdfb6e89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.12",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE\n\nbpf_prog_attach uses attach_type_to_prog_type to enforce proper\nattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses\nbpf_prog_get and relies on bpf_prog_attach_check_attach_type\nto properly verify prog_type \u003c\u003e attach_type association.\n\nAdd missing attach_type enforcement for the link_create case.\nOtherwise, it\u0027s currently possible to attach cgroup_skb prog\ntypes to other cgroup hooks."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:19:09.088Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6675c541f540a29487a802d3135280b69b9f568d"
},
{
"url": "https://git.kernel.org/stable/c/67929e973f5a347f05fef064fea4ae79e7cdb5fd"
},
{
"url": "https://git.kernel.org/stable/c/b34bbc76651065a5eafad8ddff1eb8d1f8473172"
},
{
"url": "https://git.kernel.org/stable/c/543576ec15b17c0c93301ac8297333c7b6e84ac7"
}
],
"title": "bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38564",
"datePublished": "2024-06-19T13:35:32.222Z",
"dateReserved": "2024-06-18T19:36:34.922Z",
"dateUpdated": "2026-05-11T20:19:09.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…