Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0106
Vulnerability from certfr_avis - Published: 2025-02-07 - Updated: 2025-02-07
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Cognos Analytics | Cognos Analytics versions 12.x antérieures à 12.0.4 IF2 | ||
| IBM | Cognos Analytics | Cognos Analytics versions 11.2.x antérieures à 11.2.4 FP5 | ||
| IBM | Security QRadar EDR | Security QRadar EDR versions 3.12.x antérieures à 3.12.15 | ||
| IBM | Db2 | IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions 3.5 à 4.8 antérieures à v4.8.8 | ||
| IBM | Security QRadar SIEM | QRadar SIEM versions 7.5.0 antérieures à 7.5.0 UP11 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Cognos Analytics versions 12.x ant\u00e9rieures \u00e0 12.0.4 IF2",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cognos Analytics versions 11.2.x ant\u00e9rieures \u00e0 11.2.4 FP5",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Security QRadar EDR versions 3.12.x ant\u00e9rieures \u00e0 3.12.15",
"product": {
"name": "Security QRadar EDR",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 on Cloud Pak for Data et Db2 Warehouse on Cloud Pak for Data versions 3.5 \u00e0 4.8 ant\u00e9rieures \u00e0 v4.8.8",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 UP11",
"product": {
"name": "Security QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-29483",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29483"
},
{
"name": "CVE-2023-7104",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-7104"
},
{
"name": "CVE-2020-21469",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-21469"
},
{
"name": "CVE-2024-45020",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45020"
},
{
"name": "CVE-2024-46826",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46826"
},
{
"name": "CVE-2024-42070",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42070"
},
{
"name": "CVE-2023-51714",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51714"
},
{
"name": "CVE-2021-47366",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47366"
},
{
"name": "CVE-2024-41093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41093"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2024-36361",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36361"
},
{
"name": "CVE-2024-35939",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35939"
},
{
"name": "CVE-2024-41009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41009"
},
{
"name": "CVE-2024-29041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29041"
},
{
"name": "CVE-2019-9641",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9641"
},
{
"name": "CVE-2022-21426",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21426"
},
{
"name": "CVE-2024-39503",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39503"
},
{
"name": "CVE-2024-50268",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50268"
},
{
"name": "CVE-2024-42292",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42292"
},
{
"name": "CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"name": "CVE-2016-2193",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2193"
},
{
"name": "CVE-2024-42284",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42284"
},
{
"name": "CVE-2024-43788",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43788"
},
{
"name": "CVE-2024-4068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4068"
},
{
"name": "CVE-2024-26961",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26961"
},
{
"name": "CVE-2024-38608",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38608"
},
{
"name": "CVE-2024-50275",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50275"
},
{
"name": "CVE-2024-49352",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49352"
},
{
"name": "CVE-2023-37920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
},
{
"name": "CVE-2024-40924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40924"
},
{
"name": "CVE-2024-22353",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22353"
},
{
"name": "CVE-2020-20703",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-20703"
},
{
"name": "CVE-2024-50125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50125"
},
{
"name": "CVE-2022-48968",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48968"
},
{
"name": "CVE-2024-47715",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47715"
},
{
"name": "CVE-2024-26976",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26976"
},
{
"name": "CVE-2024-56326",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56326"
},
{
"name": "CVE-2024-50267",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50267"
},
{
"name": "CVE-2019-9638",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9638"
},
{
"name": "CVE-2022-49016",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49016"
},
{
"name": "CVE-2023-52492",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52492"
},
{
"name": "CVE-2023-5868",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5868"
},
{
"name": "CVE-2019-9639",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9639"
},
{
"name": "CVE-2023-28154",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28154"
},
{
"name": "CVE-2024-27062",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27062"
},
{
"name": "CVE-2024-35839",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35839"
},
{
"name": "CVE-2024-49977",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49977"
},
{
"name": "CVE-2024-43889",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43889"
},
{
"name": "CVE-2019-20444",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
},
{
"name": "CVE-2024-29415",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29415"
},
{
"name": "CVE-2024-46820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46820"
},
{
"name": "CVE-2024-45018",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45018"
},
{
"name": "CVE-2024-33883",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33883"
},
{
"name": "CVE-2024-43880",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43880"
},
{
"name": "CVE-2024-26615",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26615"
},
{
"name": "CVE-2024-50130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50130"
},
{
"name": "CVE-2024-4317",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4317"
},
{
"name": "CVE-2024-25026",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
},
{
"name": "CVE-2024-38586",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38586"
},
{
"name": "CVE-2024-53047",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53047"
},
{
"name": "CVE-2024-31141",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31141"
},
{
"name": "CVE-2023-5870",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5870"
},
{
"name": "CVE-2024-4067",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4067"
},
{
"name": "CVE-2024-45769",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45769"
},
{
"name": "CVE-2024-10977",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10977"
},
{
"name": "CVE-2024-27017",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27017"
},
{
"name": "CVE-2018-20506",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20506"
},
{
"name": "CVE-2018-20346",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20346"
},
{
"name": "CVE-2024-46845",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46845"
},
{
"name": "CVE-2024-40983",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40983"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2023-5869",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5869"
},
{
"name": "CVE-2022-49003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49003"
},
{
"name": "CVE-2024-42079",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42079"
},
{
"name": "CVE-2024-35898",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35898"
},
{
"name": "CVE-2024-43854",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43854"
},
{
"name": "CVE-2024-44935",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44935"
},
{
"name": "CVE-2024-50124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50124"
},
{
"name": "CVE-2022-24823",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24823"
},
{
"name": "CVE-2024-49875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49875"
},
{
"name": "CVE-2019-9020",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9020"
},
{
"name": "CVE-2024-41066",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41066"
},
{
"name": "CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"name": "CVE-2019-9023",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9023"
},
{
"name": "CVE-2024-7348",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7348"
},
{
"name": "CVE-2024-42244",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42244"
},
{
"name": "CVE-2024-10976",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10976"
},
{
"name": "CVE-2024-41942",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41942"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2024-45770",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45770"
},
{
"name": "CVE-2024-26851",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26851"
},
{
"name": "CVE-2022-48773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48773"
},
{
"name": "CVE-2019-12900",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12900"
},
{
"name": "CVE-2024-50282",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50282"
},
{
"name": "CVE-2024-24857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24857"
},
{
"name": "CVE-2024-49866",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49866"
},
{
"name": "CVE-2024-49949",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49949"
},
{
"name": "CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"name": "CVE-2024-56201",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56201"
},
{
"name": "CVE-2024-41092",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41092"
},
{
"name": "CVE-2024-5569",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5569"
},
{
"name": "CVE-2024-29736",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29736"
},
{
"name": "CVE-2019-9021",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-9021"
},
{
"name": "CVE-2024-27268",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27268"
},
{
"name": "CVE-2024-47535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
},
{
"name": "CVE-2022-21434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21434"
},
{
"name": "CVE-2024-41042",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41042"
},
{
"name": "CVE-2023-2454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2454"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2024-10041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10041"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2024-43892",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43892"
},
{
"name": "CVE-2024-50252",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50252"
},
{
"name": "CVE-2024-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
},
{
"name": "CVE-2024-47668",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47668"
},
{
"name": "CVE-2017-15010",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-15010"
},
{
"name": "CVE-2023-52921",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52921"
},
{
"name": "CVE-2024-53677",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53677"
},
{
"name": "CVE-2024-10978",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10978"
},
{
"name": "CVE-2024-53140",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53140"
},
{
"name": "CVE-2024-50602",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50602"
},
{
"name": "CVE-2023-2455",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2455"
},
{
"name": "CVE-2024-39338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
},
{
"name": "CVE-2019-20478",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20478"
},
{
"name": "CVE-2024-0985",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0985"
},
{
"name": "CVE-2024-38541",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38541"
},
{
"name": "CVE-2024-40984",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40984"
},
{
"name": "CVE-2023-52922",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52922"
},
{
"name": "CVE-2024-50274",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50274"
},
{
"name": "CVE-2024-38540",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38540"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2024-29180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29180"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2024-53064",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53064"
},
{
"name": "CVE-2023-50314",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50314"
},
{
"name": "CVE-2023-52917",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52917"
},
{
"name": "CVE-2023-26136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26136"
},
{
"name": "CVE-2024-44990",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44990"
},
{
"name": "CVE-2023-42282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42282"
},
{
"name": "CVE-2024-42301",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42301"
},
{
"name": "CVE-2024-24786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2024-50279",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50279"
},
{
"name": "CVE-2022-21476",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21476"
},
{
"name": "CVE-2019-16869",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16869"
},
{
"name": "CVE-2022-23491",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23491"
},
{
"name": "CVE-2022-21541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21541"
},
{
"name": "CVE-2024-26924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26924"
},
{
"name": "CVE-2022-21540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21540"
},
{
"name": "CVE-2024-44989",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44989"
},
{
"name": "CVE-2018-20505",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20505"
},
{
"name": "CVE-2024-32007",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32007"
},
{
"name": "CVE-2024-10979",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10979"
},
{
"name": "CVE-2019-20445",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
},
{
"name": "CVE-2024-40961",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40961"
}
],
"initial_release_date": "2025-02-07T00:00:00",
"last_revision_date": "2025-02-07T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0106",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2025-02-04",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7182424",
"url": "https://www.ibm.com/support/pages/node/7182424"
},
{
"published_at": "2025-02-03",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7182335",
"url": "https://www.ibm.com/support/pages/node/7182335"
},
{
"published_at": "2025-02-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7181898",
"url": "https://www.ibm.com/support/pages/node/7181898"
},
{
"published_at": "2025-02-04",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7181480",
"url": "https://www.ibm.com/support/pages/node/7181480"
},
{
"published_at": "2025-02-05",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7182696",
"url": "https://www.ibm.com/support/pages/node/7182696"
}
]
}
CVE-2024-47715 (GCVE-0-2024-47715)
Vulnerability from cvelistv5 – Published: 2024-10-21 11:53 – Updated: 2026-05-23 15:53
VLAI
EPSS
Title
wifi: mt76: mt7915: fix oops on non-dbdc mt7986
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: fix oops on non-dbdc mt7986
mt7915_band_config() sets band_idx = 1 on the main phy for mt7986
with MT7975_ONE_ADIE or MT7976_ONE_ADIE.
Commit 0335c034e726 ("wifi: mt76: fix race condition related to
checking tx queue fill status") introduced a dereference of the
phys array indirectly indexed by band_idx via wcid->phy_idx in
mt76_wcid_cleanup(). This caused the following Oops on affected
mt7986 devices:
Unable to handle kernel read from unreadable memory at virtual address 0000000000000024
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005
CM = 0, WnR = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000
[0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] SMP
Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...
CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0
Hardware name: ZyXEL EX5700 (Telenor) (DT)
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mt76_wcid_cleanup+0x84/0x22c [mt76]
lr : mt76_wcid_cleanup+0x64/0x22c [mt76]
sp : ffffffc00a803700
x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00
x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001
x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8
x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000
x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0
x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000
x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28
x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000
x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001
x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024
Call trace:
mt76_wcid_cleanup+0x84/0x22c [mt76]
__mt76_sta_remove+0x70/0xbc [mt76]
mt76_sta_state+0x8c/0x1a4 [mt76]
mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]
drv_sta_state+0x144/0x274 [mac80211]
sta_info_move_state+0x1cc/0x2a4 [mac80211]
sta_set_sinfo+0xaf8/0xc24 [mac80211]
sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]
ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]
cfg80211_check_station_change+0x1360/0x4710 [cfg80211]
genl_family_rcv_msg_doit+0xb4/0x110
genl_rcv_msg+0xd0/0x1bc
netlink_rcv_skb+0x58/0x120
genl_rcv+0x34/0x50
netlink_unicast+0x1f0/0x2ec
netlink_sendmsg+0x198/0x3d0
____sys_sendmsg+0x1b0/0x210
___sys_sendmsg+0x80/0xf0
__sys_sendmsg+0x44/0xa0
__arm64_sys_sendmsg+0x20/0x30
invoke_syscall.constprop.0+0x4c/0xe0
do_el0_svc+0x40/0xd0
el0_svc+0x14/0x4c
el0t_64_sync_handler+0x100/0x110
el0t_64_sync+0x15c/0x160
Code: d2800002 910092c0 52800023 f9800011 (885f7c01)
---[ end trace 7e42dd9a39ed2281 ]---
Fix by using mt76_dev_phy() which will map band_idx to the correct phy
for all hardware combinations.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d2defcddfe90b3be0cfccc2482495ab1fb759586 , < 818dd118f4a997f8b4fe9c010b22402d410a2424
(git)
Affected: 0335c034e7265d36d956e806f33202c94a8a9860 , < 7c128f3ff0be5802aef66f332e4bba6afe98735e (git) Affected: 0335c034e7265d36d956e806f33202c94a8a9860 , < a94d2bd111b39f0c2c7fcbfbf8276ab98c3b8353 (git) Affected: 0335c034e7265d36d956e806f33202c94a8a9860 , < 862bf7cbd772c2bad570ef0c5b5556a1330656dd (git) Affected: 6.6.48 , < 6.6.54 (semver) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.6.54 , ≤ 6.6.* (semver) Unaffected: 6.10.13 , ≤ 6.10.* (semver) Unaffected: 6.11.2 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-21T13:02:44.864133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T13:04:18.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "818dd118f4a997f8b4fe9c010b22402d410a2424",
"status": "affected",
"version": "d2defcddfe90b3be0cfccc2482495ab1fb759586",
"versionType": "git"
},
{
"lessThan": "7c128f3ff0be5802aef66f332e4bba6afe98735e",
"status": "affected",
"version": "0335c034e7265d36d956e806f33202c94a8a9860",
"versionType": "git"
},
{
"lessThan": "a94d2bd111b39f0c2c7fcbfbf8276ab98c3b8353",
"status": "affected",
"version": "0335c034e7265d36d956e806f33202c94a8a9860",
"versionType": "git"
},
{
"lessThan": "862bf7cbd772c2bad570ef0c5b5556a1330656dd",
"status": "affected",
"version": "0335c034e7265d36d956e806f33202c94a8a9860",
"versionType": "git"
},
{
"lessThan": "6.6.54",
"status": "affected",
"version": "6.6.48",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mac80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.54",
"versionStartIncluding": "6.6.48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.13",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix oops on non-dbdc mt7986\n\nmt7915_band_config() sets band_idx = 1 on the main phy for mt7986\nwith MT7975_ONE_ADIE or MT7976_ONE_ADIE.\n\nCommit 0335c034e726 (\"wifi: mt76: fix race condition related to\nchecking tx queue fill status\") introduced a dereference of the\nphys array indirectly indexed by band_idx via wcid-\u003ephy_idx in\nmt76_wcid_cleanup(). This caused the following Oops on affected\nmt7986 devices:\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000024\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005\n CM = 0, WnR = 0\n user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000\n [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] SMP\n Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...\n CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0\n Hardware name: ZyXEL EX5700 (Telenor) (DT)\n pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mt76_wcid_cleanup+0x84/0x22c [mt76]\n lr : mt76_wcid_cleanup+0x64/0x22c [mt76]\n sp : ffffffc00a803700\n x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00\n x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001\n x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8\n x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000\n x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0\n x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000\n x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28\n x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000\n x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001\n x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024\n Call trace:\n mt76_wcid_cleanup+0x84/0x22c [mt76]\n __mt76_sta_remove+0x70/0xbc [mt76]\n mt76_sta_state+0x8c/0x1a4 [mt76]\n mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]\n drv_sta_state+0x144/0x274 [mac80211]\n sta_info_move_state+0x1cc/0x2a4 [mac80211]\n sta_set_sinfo+0xaf8/0xc24 [mac80211]\n sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]\n\n ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]\n cfg80211_check_station_change+0x1360/0x4710 [cfg80211]\n genl_family_rcv_msg_doit+0xb4/0x110\n genl_rcv_msg+0xd0/0x1bc\n netlink_rcv_skb+0x58/0x120\n genl_rcv+0x34/0x50\n netlink_unicast+0x1f0/0x2ec\n netlink_sendmsg+0x198/0x3d0\n ____sys_sendmsg+0x1b0/0x210\n ___sys_sendmsg+0x80/0xf0\n __sys_sendmsg+0x44/0xa0\n __arm64_sys_sendmsg+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x40/0xd0\n el0_svc+0x14/0x4c\n el0t_64_sync_handler+0x100/0x110\n el0t_64_sync+0x15c/0x160\n Code: d2800002 910092c0 52800023 f9800011 (885f7c01)\n ---[ end trace 7e42dd9a39ed2281 ]---\n\nFix by using mt76_dev_phy() which will map band_idx to the correct phy\nfor all hardware combinations."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:53:49.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/818dd118f4a997f8b4fe9c010b22402d410a2424"
},
{
"url": "https://git.kernel.org/stable/c/7c128f3ff0be5802aef66f332e4bba6afe98735e"
},
{
"url": "https://git.kernel.org/stable/c/a94d2bd111b39f0c2c7fcbfbf8276ab98c3b8353"
},
{
"url": "https://git.kernel.org/stable/c/862bf7cbd772c2bad570ef0c5b5556a1330656dd"
}
],
"title": "wifi: mt76: mt7915: fix oops on non-dbdc mt7986",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-47715",
"datePublished": "2024-10-21T11:53:46.772Z",
"dateReserved": "2024-09-30T16:00:12.949Z",
"dateUpdated": "2026-05-23T15:53:49.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49352 (GCVE-0-2024-49352)
Vulnerability from cvelistv5 – Published: 2025-02-05 10:58 – Updated: 2025-02-22 21:00
VLAI
EPSS
Title
IBM Cognos Anaytics XML external entity injection
Summary
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cognos Analytics |
Affected:
11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:14:37.197807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:30.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cognos Analytics",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources."
}
],
"value": "IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T21:00:55.875Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7181480"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Anaytics XML external entity injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-49352",
"datePublished": "2025-02-05T10:58:33.935Z",
"dateReserved": "2024-10-14T12:05:24.915Z",
"dateUpdated": "2025-02-22T21:00:55.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49866 (GCVE-0-2024-49866)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:01 – Updated: 2026-05-11 20:40
VLAI
EPSS
Title
tracing/timerlat: Fix a race during cpuhp processing
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Fix a race during cpuhp processing
There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:
```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
<TASK>
? __warn+0x7c/0x110
? debug_print_object+0x7d/0xb0
? report_bug+0xf1/0x1d0
? prb_read_valid+0x17/0x20
? handle_bug+0x3f/0x70
? exc_invalid_op+0x13/0x60
? asm_exc_invalid_op+0x16/0x20
? debug_print_object+0x7d/0xb0
? debug_print_object+0x7d/0xb0
? __pfx_timerlat_irq+0x10/0x10
__debug_object_init+0x110/0x150
hrtimer_init+0x1d/0x60
timerlat_main+0xab/0x2d0
? __pfx_timerlat_main+0x10/0x10
kthread+0xb7/0xe0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x40
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
```
After tracing the scheduling event, it was discovered that the migration
of the "timerlat/1" thread was performed during thread creation. Further
analysis confirmed that it is because the CPU online processing for
osnoise is implemented through workers, which is asynchronous with the
offline processing. When the worker was scheduled to create a thread, the
CPU may has already been removed from the cpu_online_mask during the offline
process, resulting in the inability to select the right CPU:
T1 | T2
[CPUHP_ONLINE] | cpu_device_down()
osnoise_hotplug_workfn() |
| cpus_write_lock()
| takedown_cpu(1)
| cpus_write_unlock()
[CPUHP_OFFLINE] |
cpus_read_lock() |
start_kthread(1) |
cpus_read_unlock() |
To fix this, skip online processing if the CPU is already offline.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c8895e271f7994a3ecb13b8a280e39aa53879545 , < 322920b53dc11f9c2b33397eb3ae5bc6a175b60d
(git)
Affected: c8895e271f7994a3ecb13b8a280e39aa53879545 , < ce25f33ba89d6eefef64157655d318444580fa14 (git) Affected: c8895e271f7994a3ecb13b8a280e39aa53879545 , < a6e9849063a6c8f4cb2f652a437e44e3ed24356c (git) Affected: c8895e271f7994a3ecb13b8a280e39aa53879545 , < a0d9c0cd5856191e095cf43a2e141b73945b7716 (git) Affected: c8895e271f7994a3ecb13b8a280e39aa53879545 , < f72b451dc75578f644a3019c1489e9ae2c14e6c4 (git) Affected: c8895e271f7994a3ecb13b8a280e39aa53879545 , < 829e0c9f0855f26b3ae830d17b24aec103f7e915 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.168 , ≤ 5.15.* (semver) Unaffected: 6.1.113 , ≤ 6.1.* (semver) Unaffected: 6.6.55 , ≤ 6.6.* (semver) Unaffected: 6.10.14 , ≤ 6.10.* (semver) Unaffected: 6.11.3 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:47:35.638203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:48:52.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:22:33.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "322920b53dc11f9c2b33397eb3ae5bc6a175b60d",
"status": "affected",
"version": "c8895e271f7994a3ecb13b8a280e39aa53879545",
"versionType": "git"
},
{
"lessThan": "ce25f33ba89d6eefef64157655d318444580fa14",
"status": "affected",
"version": "c8895e271f7994a3ecb13b8a280e39aa53879545",
"versionType": "git"
},
{
"lessThan": "a6e9849063a6c8f4cb2f652a437e44e3ed24356c",
"status": "affected",
"version": "c8895e271f7994a3ecb13b8a280e39aa53879545",
"versionType": "git"
},
{
"lessThan": "a0d9c0cd5856191e095cf43a2e141b73945b7716",
"status": "affected",
"version": "c8895e271f7994a3ecb13b8a280e39aa53879545",
"versionType": "git"
},
{
"lessThan": "f72b451dc75578f644a3019c1489e9ae2c14e6c4",
"status": "affected",
"version": "c8895e271f7994a3ecb13b8a280e39aa53879545",
"versionType": "git"
},
{
"lessThan": "829e0c9f0855f26b3ae830d17b24aec103f7e915",
"status": "affected",
"version": "c8895e271f7994a3ecb13b8a280e39aa53879545",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_osnoise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Fix a race during cpuhp processing\n\nThere is another found exception that the \"timerlat/1\" thread was\nscheduled on CPU0, and lead to timer corruption finally:\n\n```\nODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220\nWARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0\nModules linked in:\nCPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:debug_print_object+0x7d/0xb0\n...\nCall Trace:\n \u003cTASK\u003e\n ? __warn+0x7c/0x110\n ? debug_print_object+0x7d/0xb0\n ? report_bug+0xf1/0x1d0\n ? prb_read_valid+0x17/0x20\n ? handle_bug+0x3f/0x70\n ? exc_invalid_op+0x13/0x60\n ? asm_exc_invalid_op+0x16/0x20\n ? debug_print_object+0x7d/0xb0\n ? debug_print_object+0x7d/0xb0\n ? __pfx_timerlat_irq+0x10/0x10\n __debug_object_init+0x110/0x150\n hrtimer_init+0x1d/0x60\n timerlat_main+0xab/0x2d0\n ? __pfx_timerlat_main+0x10/0x10\n kthread+0xb7/0xe0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x40\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n```\n\nAfter tracing the scheduling event, it was discovered that the migration\nof the \"timerlat/1\" thread was performed during thread creation. Further\nanalysis confirmed that it is because the CPU online processing for\nosnoise is implemented through workers, which is asynchronous with the\noffline processing. When the worker was scheduled to create a thread, the\nCPU may has already been removed from the cpu_online_mask during the offline\nprocess, resulting in the inability to select the right CPU:\n\nT1 | T2\n[CPUHP_ONLINE] | cpu_device_down()\nosnoise_hotplug_workfn() |\n | cpus_write_lock()\n | takedown_cpu(1)\n | cpus_write_unlock()\n[CPUHP_OFFLINE] |\n cpus_read_lock() |\n start_kthread(1) |\n cpus_read_unlock() |\n\nTo fix this, skip online processing if the CPU is already offline."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:40:44.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/322920b53dc11f9c2b33397eb3ae5bc6a175b60d"
},
{
"url": "https://git.kernel.org/stable/c/ce25f33ba89d6eefef64157655d318444580fa14"
},
{
"url": "https://git.kernel.org/stable/c/a6e9849063a6c8f4cb2f652a437e44e3ed24356c"
},
{
"url": "https://git.kernel.org/stable/c/a0d9c0cd5856191e095cf43a2e141b73945b7716"
},
{
"url": "https://git.kernel.org/stable/c/f72b451dc75578f644a3019c1489e9ae2c14e6c4"
},
{
"url": "https://git.kernel.org/stable/c/829e0c9f0855f26b3ae830d17b24aec103f7e915"
}
],
"title": "tracing/timerlat: Fix a race during cpuhp processing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49866",
"datePublished": "2024-10-21T18:01:09.284Z",
"dateReserved": "2024-10-21T12:17:06.018Z",
"dateUpdated": "2026-05-11T20:40:44.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49875 (GCVE-0-2024-49875)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:01 – Updated: 2026-05-11 20:40
VLAI
EPSS
Title
nfsd: map the EBADMSG to nfserr_io to avoid warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: map the EBADMSG to nfserr_io to avoid warning
Ext4 will throw -EBADMSG through ext4_readdir when a checksum error
occurs, resulting in the following WARNING.
Fix it by mapping EBADMSG to nfserr_io.
nfsd_buffered_readdir
iterate_dir // -EBADMSG -74
ext4_readdir // .iterate_shared
ext4_dx_readdir
ext4_htree_fill_tree
htree_dirblock_to_tree
ext4_read_dirblock
__ext4_read_dirblock
ext4_dirblock_csum_verify
warn_no_space_for_csum
__warn_no_space_for_csum
return ERR_PTR(-EFSBADCRC) // -EBADMSG -74
nfserrno // WARNING
[ 161.115610] ------------[ cut here ]------------
[ 161.116465] nfsd: non-standard errno: -74
[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0
[ 161.118596] Modules linked in:
[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138
[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe
mu.org 04/01/2014
[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0
[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6
05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33
[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286
[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a
[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827
[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021
[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8
[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000
[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0
[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 161.141519] PKRU: 55555554
[ 161.142076] Call Trace:
[ 161.142575] ? __warn+0x9b/0x140
[ 161.143229] ? nfserrno+0x9d/0xd0
[ 161.143872] ? report_bug+0x125/0x150
[ 161.144595] ? handle_bug+0x41/0x90
[ 161.145284] ? exc_invalid_op+0x14/0x70
[ 161.146009] ? asm_exc_invalid_op+0x12/0x20
[ 161.146816] ? nfserrno+0x9d/0xd0
[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0
[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0
[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170
[ 161.151004] ? generic_file_llseek_size+0x48/0x160
[ 161.151895] nfsd_readdir+0x132/0x190
[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.153516] ? nfsd_unlink+0x380/0x380
[ 161.154256] ? override_creds+0x45/0x60
[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0
[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210
[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0
[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0
[ 161.158494] ? lock_downgrade+0x90/0x90
[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10
[ 161.160092] nfsd4_encode_operation+0x15a/0x440
[ 161.160959] nfsd4_proc_compound+0x718/0xe90
[ 161.161818] nfsd_dispatch+0x18e/0x2c0
[ 161.162586] svc_process_common+0x786/0xc50
[ 161.163403] ? nfsd_svc+0x380/0x380
[ 161.164137] ? svc_printk+0x160/0x160
[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380
[ 161.165808] ? nfsd_svc+0x380/0x380
[ 161.166523] ? rcu_is_watching+0x23/0x40
[ 161.167309] svc_process+0x1a5/0x200
[ 161.168019] nfsd+0x1f5/0x380
[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260
[ 161.169554] kthread+0x1c4/0x210
[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80
[ 161.171246] ret_from_fork+0x1f/0x30
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6a797d2737838906f2ea0a31686e87c3151e21ca , < 0ea4333c679f333e23956de743ad17387819d3f2
(git)
Affected: 6a797d2737838906f2ea0a31686e87c3151e21ca , < 825789ca94602543101045ad3aad19b2b60c6b2a (git) Affected: 6a797d2737838906f2ea0a31686e87c3151e21ca , < 6fe058502f8864649c3d614b06b2235223798f48 (git) Affected: 6a797d2737838906f2ea0a31686e87c3151e21ca , < f7d8ee9db94372b8235f5f22bb24381891594c42 (git) Affected: 6a797d2737838906f2ea0a31686e87c3151e21ca , < c76005adfa93d1a027433331252422078750321f (git) Affected: 6a797d2737838906f2ea0a31686e87c3151e21ca , < e9cfecca22a36b927a440abc6307efb9e138fed5 (git) Affected: 6a797d2737838906f2ea0a31686e87c3151e21ca , < 340e61e44c1d2a15c42ec72ade9195ad525fd048 (git) |
|
| Linux | Linux |
Affected:
4.4
Unaffected: 0 , < 4.4 (semver) Unaffected: 5.10.227 , ≤ 5.10.* (semver) Unaffected: 5.15.168 , ≤ 5.15.* (semver) Unaffected: 6.1.113 , ≤ 6.1.* (semver) Unaffected: 6.6.55 , ≤ 6.6.* (semver) Unaffected: 6.10.14 , ≤ 6.10.* (semver) Unaffected: 6.11.3 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:46:25.129845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:48:51.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:22:40.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ea4333c679f333e23956de743ad17387819d3f2",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
},
{
"lessThan": "825789ca94602543101045ad3aad19b2b60c6b2a",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
},
{
"lessThan": "6fe058502f8864649c3d614b06b2235223798f48",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
},
{
"lessThan": "f7d8ee9db94372b8235f5f22bb24381891594c42",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
},
{
"lessThan": "c76005adfa93d1a027433331252422078750321f",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
},
{
"lessThan": "e9cfecca22a36b927a440abc6307efb9e138fed5",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
},
{
"lessThan": "340e61e44c1d2a15c42ec72ade9195ad525fd048",
"status": "affected",
"version": "6a797d2737838906f2ea0a31686e87c3151e21ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: map the EBADMSG to nfserr_io to avoid warning\n\nExt4 will throw -EBADMSG through ext4_readdir when a checksum error\noccurs, resulting in the following WARNING.\n\nFix it by mapping EBADMSG to nfserr_io.\n\nnfsd_buffered_readdir\n iterate_dir // -EBADMSG -74\n ext4_readdir // .iterate_shared\n ext4_dx_readdir\n ext4_htree_fill_tree\n htree_dirblock_to_tree\n ext4_read_dirblock\n __ext4_read_dirblock\n ext4_dirblock_csum_verify\n warn_no_space_for_csum\n __warn_no_space_for_csum\n return ERR_PTR(-EFSBADCRC) // -EBADMSG -74\n nfserrno // WARNING\n\n[ 161.115610] ------------[ cut here ]------------\n[ 161.116465] nfsd: non-standard errno: -74\n[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0\n[ 161.118596] Modules linked in:\n[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138\n[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe\nmu.org 04/01/2014\n[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0\n[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6\n 05 ce 2b 61 03 01 e8 99 20 d8 00 \u003c0f\u003e 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33\n[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286\n[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a\n[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827\n[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021\n[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8\n[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000\n[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0\n[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 161.141519] PKRU: 55555554\n[ 161.142076] Call Trace:\n[ 161.142575] ? __warn+0x9b/0x140\n[ 161.143229] ? nfserrno+0x9d/0xd0\n[ 161.143872] ? report_bug+0x125/0x150\n[ 161.144595] ? handle_bug+0x41/0x90\n[ 161.145284] ? exc_invalid_op+0x14/0x70\n[ 161.146009] ? asm_exc_invalid_op+0x12/0x20\n[ 161.146816] ? nfserrno+0x9d/0xd0\n[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0\n[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380\n[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0\n[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170\n[ 161.151004] ? generic_file_llseek_size+0x48/0x160\n[ 161.151895] nfsd_readdir+0x132/0x190\n[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380\n[ 161.153516] ? nfsd_unlink+0x380/0x380\n[ 161.154256] ? override_creds+0x45/0x60\n[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0\n[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210\n[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0\n[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0\n[ 161.158494] ? lock_downgrade+0x90/0x90\n[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10\n[ 161.160092] nfsd4_encode_operation+0x15a/0x440\n[ 161.160959] nfsd4_proc_compound+0x718/0xe90\n[ 161.161818] nfsd_dispatch+0x18e/0x2c0\n[ 161.162586] svc_process_common+0x786/0xc50\n[ 161.163403] ? nfsd_svc+0x380/0x380\n[ 161.164137] ? svc_printk+0x160/0x160\n[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380\n[ 161.165808] ? nfsd_svc+0x380/0x380\n[ 161.166523] ? rcu_is_watching+0x23/0x40\n[ 161.167309] svc_process+0x1a5/0x200\n[ 161.168019] nfsd+0x1f5/0x380\n[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260\n[ 161.169554] kthread+0x1c4/0x210\n[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80\n[ 161.171246] ret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:40:55.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ea4333c679f333e23956de743ad17387819d3f2"
},
{
"url": "https://git.kernel.org/stable/c/825789ca94602543101045ad3aad19b2b60c6b2a"
},
{
"url": "https://git.kernel.org/stable/c/6fe058502f8864649c3d614b06b2235223798f48"
},
{
"url": "https://git.kernel.org/stable/c/f7d8ee9db94372b8235f5f22bb24381891594c42"
},
{
"url": "https://git.kernel.org/stable/c/c76005adfa93d1a027433331252422078750321f"
},
{
"url": "https://git.kernel.org/stable/c/e9cfecca22a36b927a440abc6307efb9e138fed5"
},
{
"url": "https://git.kernel.org/stable/c/340e61e44c1d2a15c42ec72ade9195ad525fd048"
}
],
"title": "nfsd: map the EBADMSG to nfserr_io to avoid warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49875",
"datePublished": "2024-10-21T18:01:15.434Z",
"dateReserved": "2024-10-21T12:17:06.020Z",
"dateUpdated": "2026-05-11T20:40:55.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49949 (GCVE-0-2024-49949)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:02 – Updated: 2026-05-23 15:54
VLAI
EPSS
Title
net: avoid potential underflow in qdisc_pkt_len_init() with UFO
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: avoid potential underflow in qdisc_pkt_len_init() with UFO
After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
requests coming from user") virtio_net_hdr_to_skb() had sanity check
to detect malicious attempts from user space to cook a bad GSO packet.
Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
transport header in UFO") while fixing one issue, allowed user space
to cook a GSO packet with the following characteristic :
IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
When this packet arrives in qdisc_pkt_len_init(), we end up
with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
Then the following sets gso_segs to 0 :
gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
shinfo->gso_size);
Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
This leads to the following crash in fq_codel [1]
qdisc_pkt_len_init() is best effort, we only want an estimation
of the bytes sent on the wire, not crashing the kernel.
This patch is fixing this particular issue, a following one
adds more sanity checks for another potential bug.
[1]
[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 70.724561] #PF: supervisor read access in kernel mode
[ 70.724561] #PF: error_code(0x0000) - not-present page
[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
All code
========
0: 24 08 and $0x8,%al
2: 49 c1 e1 06 shl $0x6,%r9
6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
b: 45 31 ed xor %r13d,%r13d
e: 45 31 c0 xor %r8d,%r8d
11: 31 ff xor %edi,%edi
13: 89 44 24 14 mov %eax,0x14(%rsp)
17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
1e: eb 04 jmp 0x24
20: 39 ca cmp %ecx,%edx
22: 73 37 jae 0x5b
24: 4d 8b 39 mov (%r9),%r15
27: 83 c7 01 add $0x1,%edi
2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
2d: 49 89 11 mov %rdx,(%r9)
30: 41 8b 57 28 mov 0x28(%r15),%edx
34: 45 8b 5f 34 mov 0x34(%r15),%r11d
38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
3f: 49 rex.WB
Code starting with the faulting instruction
===========================================
0: 49 8b 17 mov (%r15),%rdx
3: 49 89 11 mov %rdx,(%r9)
6: 41 8b 57 28 mov 0x28(%r15),%edx
a: 45 8b 5f 34 mov 0x34(%r15),%r11d
e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
15: 49 rex.WB
[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C
---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
14 references
Impacted products
9 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
960b360ca7463921c1a6b72e7066a706d6406223 , < d70ca7598943572d5e384227bd268acb5109bf72
(git)
Affected: fb2dbc124a7f800cd0e4f901a1bbb769a017104c , < 1598d70ad9c7d0a4d9d54b82094e9f45908fda6d (git) Affected: 8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772 , < ba26060a29d3ca1bfc737aa79f7125128f35147c (git) Affected: 0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3 , < 939c88cbdc668dadd8cfa7a35d9066331239041c (git) Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < d6114993e0a89fde84a60a60a8329a571580b174 (git) Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < 25ab0b87dbd89cecef8a9c60a02bb97832e471d1 (git) Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < f959cce8a2a04ce776aa8b78e83ce339e0d7fbac (git) Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < 81fd007dcd47c34471766249853e4d4bce8eea4b (git) Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < c20029db28399ecc50e556964eaba75c43b1e2f1 (git) Affected: 2128303bff700c857739a0af8cc39c1a41840650 (git) Affected: 4.19.218 , < 4.19.323 (semver) Affected: 5.4.162 , < 5.4.285 (semver) Affected: 5.10.82 , < 5.10.227 (semver) Affected: 5.15.5 , < 5.15.168 (semver) Affected: 4.14.256 , < 4.15 (semver) |
|
| Linux | Linux |
Affected:
5.16
Unaffected: 0 , < 5.16 (semver) Unaffected: 4.19.323 , ≤ 4.19.* (semver) Unaffected: 5.4.285 , ≤ 5.4.* (semver) Unaffected: 5.10.227 , ≤ 5.10.* (semver) Unaffected: 5.15.168 , ≤ 5.15.* (semver) Unaffected: 6.1.113 , ≤ 6.1.* (semver) Unaffected: 6.6.55 , ≤ 6.6.* (semver) Unaffected: 6.10.14 , ≤ 6.10.* (semver) Unaffected: 6.11.3 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V3.2
(custom)
|
|
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family |
Affected:
0 , < V3.2
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Affected:
0 , < V3.2
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:36:39.259120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:49.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:23:29.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:59:19.790Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d70ca7598943572d5e384227bd268acb5109bf72",
"status": "affected",
"version": "960b360ca7463921c1a6b72e7066a706d6406223",
"versionType": "git"
},
{
"lessThan": "1598d70ad9c7d0a4d9d54b82094e9f45908fda6d",
"status": "affected",
"version": "fb2dbc124a7f800cd0e4f901a1bbb769a017104c",
"versionType": "git"
},
{
"lessThan": "ba26060a29d3ca1bfc737aa79f7125128f35147c",
"status": "affected",
"version": "8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772",
"versionType": "git"
},
{
"lessThan": "939c88cbdc668dadd8cfa7a35d9066331239041c",
"status": "affected",
"version": "0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3",
"versionType": "git"
},
{
"lessThan": "d6114993e0a89fde84a60a60a8329a571580b174",
"status": "affected",
"version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
"versionType": "git"
},
{
"lessThan": "25ab0b87dbd89cecef8a9c60a02bb97832e471d1",
"status": "affected",
"version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
"versionType": "git"
},
{
"lessThan": "f959cce8a2a04ce776aa8b78e83ce339e0d7fbac",
"status": "affected",
"version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
"versionType": "git"
},
{
"lessThan": "81fd007dcd47c34471766249853e4d4bce8eea4b",
"status": "affected",
"version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
"versionType": "git"
},
{
"lessThan": "c20029db28399ecc50e556964eaba75c43b1e2f1",
"status": "affected",
"version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
"versionType": "git"
},
{
"status": "affected",
"version": "2128303bff700c857739a0af8cc39c1a41840650",
"versionType": "git"
},
{
"lessThan": "4.19.323",
"status": "affected",
"version": "4.19.218",
"versionType": "semver"
},
{
"lessThan": "5.4.285",
"status": "affected",
"version": "5.4.162",
"versionType": "semver"
},
{
"lessThan": "5.10.227",
"status": "affected",
"version": "5.10.82",
"versionType": "semver"
},
{
"lessThan": "5.15.168",
"status": "affected",
"version": "5.15.5",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.256",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "5.4.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.256",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\n\nAfter commit 7c6d2ecbda83 (\"net: be more gentle about silly gso\nrequests coming from user\") virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\n\nThen commit cf9acc90c80ec (\"net: virtio_net_hdr_to_skb: count\ntransport header in UFO\") while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\n\nIPv4 SKB_GSO_UDP, gso_size=3, skb-\u003elen = 28.\n\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb-\u003elen\n\nThen the following sets gso_segs to 0 :\n\ngso_segs = DIV_ROUND_UP(skb-\u003elen - hdr_len,\n shinfo-\u003egso_size);\n\nThen later we set qdisc_skb_cb(skb)-\u003epkt_len to back to zero :/\n\nqdisc_skb_cb(skb)-\u003epkt_len += (gso_segs - 1) * hdr_len;\n\nThis leads to the following crash in fq_codel [1]\n\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\n\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n\n[1]\n[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 70.724561] #PF: supervisor read access in kernel mode\n[ 70.724561] #PF: error_code(0x0000) - not-present page\n[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 \u003c49\u003e 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n 0:\t24 08 \tand $0x8,%al\n 2:\t49 c1 e1 06 \tshl $0x6,%r9\n 6:\t44 89 7c 24 18 \tmov %r15d,0x18(%rsp)\n b:\t45 31 ed \txor %r13d,%r13d\n e:\t45 31 c0 \txor %r8d,%r8d\n 11:\t31 ff \txor %edi,%edi\n 13:\t89 44 24 14 \tmov %eax,0x14(%rsp)\n 17:\t4c 03 8b 90 01 00 00 \tadd 0x190(%rbx),%r9\n 1e:\teb 04 \tjmp 0x24\n 20:\t39 ca \tcmp %ecx,%edx\n 22:\t73 37 \tjae 0x5b\n 24:\t4d 8b 39 \tmov (%r9),%r15\n 27:\t83 c7 01 \tadd $0x1,%edi\n 2a:*\t49 8b 17 \tmov (%r15),%rdx\t\t\u003c-- trapping instruction\n 2d:\t49 89 11 \tmov %rdx,(%r9)\n 30:\t41 8b 57 28 \tmov 0x28(%r15),%edx\n 34:\t45 8b 5f 34 \tmov 0x34(%r15),%r11d\n 38:\t49 c7 07 00 00 00 00 \tmovq $0x0,(%r15)\n 3f:\t49 \trex.WB\n\nCode starting with the faulting instruction\n===========================================\n 0:\t49 8b 17 \tmov (%r15),%rdx\n 3:\t49 89 11 \tmov %rdx,(%r9)\n 6:\t41 8b 57 28 \tmov 0x28(%r15),%edx\n a:\t45 8b 5f 34 \tmov 0x34(%r15),%r11d\n e:\t49 c7 07 00 00 00 00 \tmovq $0x0,(%r15)\n 15:\t49 \trex.WB\n[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:54:07.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72"
},
{
"url": "https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d"
},
{
"url": "https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c"
},
{
"url": "https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c"
},
{
"url": "https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174"
},
{
"url": "https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1"
},
{
"url": "https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac"
},
{
"url": "https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b"
},
{
"url": "https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1"
}
],
"title": "net: avoid potential underflow in qdisc_pkt_len_init() with UFO",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49949",
"datePublished": "2024-10-21T18:02:05.756Z",
"dateReserved": "2024-10-21T12:17:06.046Z",
"dateUpdated": "2026-05-23T15:54:07.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-49977 (GCVE-0-2024-49977)
Vulnerability from cvelistv5 – Published: 2024-10-21 18:02 – Updated: 2026-05-23 15:54
VLAI
EPSS
Title
net: stmmac: Fix zero-division error when disabling tc cbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Fix zero-division error when disabling tc cbs
The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider
when offload is disabled") allows the "port_transmit_rate_kbps" to be
set to a value of 0, which is then passed to the "div_s64" function when
tc-cbs is disabled. This leads to a zero-division error.
When tc-cbs is disabled, the idleslope, sendslope, and credit values the
credit values are not required to be configured. Therefore, adding a return
statement after setting the txQ mode to DCB when tc-cbs is disabled would
prevent a zero-division error.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
11 references
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b4bca4722fda928810d024350493990de39f1e40 , < e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c
(git)
Affected: 2145583e5995598f50d66f8710c86bb1e910ac46 , < b0da9504a528f05f97d926b4db74ff21917a33e9 (git) Affected: 521d42a1c24d638241220d4b9fa7e7a0ed02b88e , < 5d43e1ad4567d67af2b42d3ab7c14152ffed25c6 (git) Affected: a71b686418ee6bcb6d6365f7f6d838d9874d9c64 , < 03582f4752427f60817d896f1a827aff772bd31e (git) Affected: b8c43360f6e424131fa81d3ba8792ad8ff25a09e , < e297a2bf56d12fd7f91a0c209eb6ea84361f3368 (git) Affected: b8c43360f6e424131fa81d3ba8792ad8ff25a09e , < 837d9df9c0792902710149d1a5e0991520af0f93 (git) Affected: b8c43360f6e424131fa81d3ba8792ad8ff25a09e , < 675faf5a14c14a2be0b870db30a70764df81e2df (git) Affected: f01782804147a8c21f481b3342c83422c041d2c0 (git) Affected: 5.10.221 , < 5.10.227 (semver) Affected: 5.15.162 , < 5.15.168 (semver) Affected: 6.1.96 , < 6.1.113 (semver) Affected: 6.6.36 , < 6.6.55 (semver) Affected: 6.9.7 , < 6.10 (semver) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 5.10.227 , ≤ 5.10.* (semver) Unaffected: 5.15.168 , ≤ 5.15.* (semver) Unaffected: 6.1.113 , ≤ 6.1.* (semver) Unaffected: 6.6.55 , ≤ 6.6.* (semver) Unaffected: 6.10.14 , ≤ 6.10.* (semver) Unaffected: 6.11.3 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V3.2
(custom)
|
|
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family |
Affected:
0 , < V3.2
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Affected:
0 , < V3.2
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:33:01.213521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:38:45.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:23:57.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:59:29.199Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c",
"status": "affected",
"version": "b4bca4722fda928810d024350493990de39f1e40",
"versionType": "git"
},
{
"lessThan": "b0da9504a528f05f97d926b4db74ff21917a33e9",
"status": "affected",
"version": "2145583e5995598f50d66f8710c86bb1e910ac46",
"versionType": "git"
},
{
"lessThan": "5d43e1ad4567d67af2b42d3ab7c14152ffed25c6",
"status": "affected",
"version": "521d42a1c24d638241220d4b9fa7e7a0ed02b88e",
"versionType": "git"
},
{
"lessThan": "03582f4752427f60817d896f1a827aff772bd31e",
"status": "affected",
"version": "a71b686418ee6bcb6d6365f7f6d838d9874d9c64",
"versionType": "git"
},
{
"lessThan": "e297a2bf56d12fd7f91a0c209eb6ea84361f3368",
"status": "affected",
"version": "b8c43360f6e424131fa81d3ba8792ad8ff25a09e",
"versionType": "git"
},
{
"lessThan": "837d9df9c0792902710149d1a5e0991520af0f93",
"status": "affected",
"version": "b8c43360f6e424131fa81d3ba8792ad8ff25a09e",
"versionType": "git"
},
{
"lessThan": "675faf5a14c14a2be0b870db30a70764df81e2df",
"status": "affected",
"version": "b8c43360f6e424131fa81d3ba8792ad8ff25a09e",
"versionType": "git"
},
{
"status": "affected",
"version": "f01782804147a8c21f481b3342c83422c041d2c0",
"versionType": "git"
},
{
"lessThan": "5.10.227",
"status": "affected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThan": "5.15.168",
"status": "affected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThan": "6.1.113",
"status": "affected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThan": "6.6.55",
"status": "affected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThan": "6.10",
"status": "affected",
"version": "6.9.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.227",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.227",
"versionStartIncluding": "5.10.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.168",
"versionStartIncluding": "5.15.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.113",
"versionStartIncluding": "6.1.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.55",
"versionStartIncluding": "6.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.14",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Fix zero-division error when disabling tc cbs\n\nThe commit b8c43360f6e4 (\"net: stmmac: No need to calculate speed divider\nwhen offload is disabled\") allows the \"port_transmit_rate_kbps\" to be\nset to a value of 0, which is then passed to the \"div_s64\" function when\ntc-cbs is disabled. This leads to a zero-division error.\n\nWhen tc-cbs is disabled, the idleslope, sendslope, and credit values the\ncredit values are not required to be configured. Therefore, adding a return\nstatement after setting the txQ mode to DCB when tc-cbs is disabled would\nprevent a zero-division error."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:54:12.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c"
},
{
"url": "https://git.kernel.org/stable/c/b0da9504a528f05f97d926b4db74ff21917a33e9"
},
{
"url": "https://git.kernel.org/stable/c/5d43e1ad4567d67af2b42d3ab7c14152ffed25c6"
},
{
"url": "https://git.kernel.org/stable/c/03582f4752427f60817d896f1a827aff772bd31e"
},
{
"url": "https://git.kernel.org/stable/c/e297a2bf56d12fd7f91a0c209eb6ea84361f3368"
},
{
"url": "https://git.kernel.org/stable/c/837d9df9c0792902710149d1a5e0991520af0f93"
},
{
"url": "https://git.kernel.org/stable/c/675faf5a14c14a2be0b870db30a70764df81e2df"
}
],
"title": "net: stmmac: Fix zero-division error when disabling tc cbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-49977",
"datePublished": "2024-10-21T18:02:24.480Z",
"dateReserved": "2024-10-21T12:17:06.052Z",
"dateUpdated": "2026-05-23T15:54:12.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50124 (GCVE-0-2024-50124)
Vulnerability from cvelistv5 – Published: 2024-11-05 17:10 – Updated: 2026-05-11 20:45
VLAI
EPSS
Title
Bluetooth: ISO: Fix UAF on iso_sock_timeout
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix UAF on iso_sock_timeout
conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
iso_sk_list.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 876ac72d535fa94f4ac57bba651987c6f990f646
(git)
Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 14bcb721d241e62fdd18f6f434a2ed2ab6e71a9b (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < d75aad1d3143ca68cda52ff80ac392e1bbd84325 (git) Affected: ccf74f2390d60a2f9a75ef496d2564abb478f46a , < 246b435ad668596aa0e2bbb9d491b6413861211a (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.115 , ≤ 6.1.* (semver) Unaffected: 6.6.59 , ≤ 6.6.* (semver) Unaffected: 6.11.6 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:25:58.935460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:33.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:43.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "876ac72d535fa94f4ac57bba651987c6f990f646",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "14bcb721d241e62fdd18f6f434a2ed2ab6e71a9b",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "d75aad1d3143ca68cda52ff80ac392e1bbd84325",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
},
{
"lessThan": "246b435ad668596aa0e2bbb9d491b6413861211a",
"status": "affected",
"version": "ccf74f2390d60a2f9a75ef496d2564abb478f46a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.115",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix UAF on iso_sock_timeout\n\nconn-\u003esk maybe have been unlinked/freed while waiting for iso_conn_lock\nso this checks if the conn-\u003esk is still valid by checking if it part of\niso_sk_list."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:45:53.596Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/876ac72d535fa94f4ac57bba651987c6f990f646"
},
{
"url": "https://git.kernel.org/stable/c/14bcb721d241e62fdd18f6f434a2ed2ab6e71a9b"
},
{
"url": "https://git.kernel.org/stable/c/d75aad1d3143ca68cda52ff80ac392e1bbd84325"
},
{
"url": "https://git.kernel.org/stable/c/246b435ad668596aa0e2bbb9d491b6413861211a"
}
],
"title": "Bluetooth: ISO: Fix UAF on iso_sock_timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50124",
"datePublished": "2024-11-05T17:10:52.434Z",
"dateReserved": "2024-10-21T19:36:19.954Z",
"dateUpdated": "2026-05-11T20:45:53.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50125 (GCVE-0-2024-50125)
Vulnerability from cvelistv5 – Published: 2024-11-05 17:10 – Updated: 2026-05-23 15:54
VLAI
EPSS
Title
Bluetooth: SCO: Fix UAF on sco_sock_timeout
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix UAF on sco_sock_timeout
conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock
so this checks if the conn->sk is still valid by checking if it part of
sco_sk_list.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ba316be1b6a00db7126ed9a39f9bee434a508043 , < 74a466a15731a754bcd8b5a83c126b5122e15a45
(git)
Affected: ba316be1b6a00db7126ed9a39f9bee434a508043 , < 9ddda5d967e84796e7df1b54a55f36b4b9f21079 (git) Affected: ba316be1b6a00db7126ed9a39f9bee434a508043 , < d30803f6a972b5b9e26d1d43b583c7ec151de04b (git) Affected: ba316be1b6a00db7126ed9a39f9bee434a508043 , < 80b05fbfa998480fb3d5299d93eab946f51e9c36 (git) Affected: ba316be1b6a00db7126ed9a39f9bee434a508043 , < 1bf4470a3939c678fb822073e9ea77a0560bc6bb (git) Affected: fea63ccd928c01573306983346588b26cffb5572 (git) Affected: 48669c81a65628ef234cbdd91b9395952c7c27fe (git) Affected: 37d7ae2b0578f2373674a755402ee722e96edc08 (git) Affected: a1073aad497d0d071a71f61b721966a176d50c08 (git) Affected: ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134 (git) Affected: b657bba82ff6a007d84fd076bd73b11131726a2b (git) Affected: 4.14.263 , < 4.15 (semver) Affected: 4.19.207 , < 4.20 (semver) Affected: 5.4.148 , < 5.5 (semver) Affected: 5.10.67 , < 5.11 (semver) Affected: 5.13.19 , < 5.14 (semver) Affected: 5.14.6 , < 5.15 (semver) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.181 , ≤ 5.15.* (semver) Unaffected: 6.1.115 , ≤ 6.1.* (semver) Unaffected: 6.6.59 , ≤ 6.6.* (semver) Unaffected: 6.11.6 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T14:25:55.353607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T14:58:33.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:25:44.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/bluetooth.h",
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74a466a15731a754bcd8b5a83c126b5122e15a45",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "9ddda5d967e84796e7df1b54a55f36b4b9f21079",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "d30803f6a972b5b9e26d1d43b583c7ec151de04b",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "80b05fbfa998480fb3d5299d93eab946f51e9c36",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"lessThan": "1bf4470a3939c678fb822073e9ea77a0560bc6bb",
"status": "affected",
"version": "ba316be1b6a00db7126ed9a39f9bee434a508043",
"versionType": "git"
},
{
"status": "affected",
"version": "fea63ccd928c01573306983346588b26cffb5572",
"versionType": "git"
},
{
"status": "affected",
"version": "48669c81a65628ef234cbdd91b9395952c7c27fe",
"versionType": "git"
},
{
"status": "affected",
"version": "37d7ae2b0578f2373674a755402ee722e96edc08",
"versionType": "git"
},
{
"status": "affected",
"version": "a1073aad497d0d071a71f61b721966a176d50c08",
"versionType": "git"
},
{
"status": "affected",
"version": "ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134",
"versionType": "git"
},
{
"status": "affected",
"version": "b657bba82ff6a007d84fd076bd73b11131726a2b",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.263",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.207",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.148",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.67",
"versionType": "semver"
},
{
"lessThan": "5.14",
"status": "affected",
"version": "5.13.19",
"versionType": "semver"
},
{
"lessThan": "5.15",
"status": "affected",
"version": "5.14.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/bluetooth.h",
"net/bluetooth/af_bluetooth.c",
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.115",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_sock_timeout\n\nconn-\u003esk maybe have been unlinked/freed while waiting for sco_conn_lock\nso this checks if the conn-\u003esk is still valid by checking if it part of\nsco_sk_list."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:54:34.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74a466a15731a754bcd8b5a83c126b5122e15a45"
},
{
"url": "https://git.kernel.org/stable/c/9ddda5d967e84796e7df1b54a55f36b4b9f21079"
},
{
"url": "https://git.kernel.org/stable/c/d30803f6a972b5b9e26d1d43b583c7ec151de04b"
},
{
"url": "https://git.kernel.org/stable/c/80b05fbfa998480fb3d5299d93eab946f51e9c36"
},
{
"url": "https://git.kernel.org/stable/c/1bf4470a3939c678fb822073e9ea77a0560bc6bb"
}
],
"title": "Bluetooth: SCO: Fix UAF on sco_sock_timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50125",
"datePublished": "2024-11-05T17:10:53.090Z",
"dateReserved": "2024-10-21T19:36:19.954Z",
"dateUpdated": "2026-05-23T15:54:34.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50130 (GCVE-0-2024-50130)
Vulnerability from cvelistv5 – Published: 2024-11-05 17:10 – Updated: 2026-05-11 20:46
VLAI
EPSS
Title
netfilter: bpf: must hold reference on net namespace
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: must hold reference on net namespace
BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
Read of size 8 at addr ffff8880106fe400 by task repro/72=
bpf_nf_link_release+0xda/0x1e0
bpf_link_free+0x139/0x2d0
bpf_link_release+0x68/0x80
__fput+0x414/0xb60
Eric says:
It seems that bpf was able to defer the __nf_unregister_net_hook()
after exit()/close() time.
Perhaps a netns reference is missing, because the netns has been
dismantled/freed already.
bpf_nf_link_attach() does :
link->net = net;
But I do not see a reference being taken on net.
Add such a reference and release it after hook unreg.
Note that I was unable to get syzbot reproducer to work, so I
do not know if this resolves this splat.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
84601d6ee68ae820dec97450934797046d62db4b , < f41bd93b3e0508edc7ba820357f949071dcc0acc
(git)
Affected: 84601d6ee68ae820dec97450934797046d62db4b , < d0d7939543a1b3bb93af9a18d258a774daf8f162 (git) Affected: 84601d6ee68ae820dec97450934797046d62db4b , < 1230fe7ad3974f7bf6c78901473e039b34d4fb1f (git) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.6.59 , ≤ 6.6.* (semver) Unaffected: 6.11.6 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T16:08:04.815447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T16:14:33.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_bpf_link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f41bd93b3e0508edc7ba820357f949071dcc0acc",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
},
{
"lessThan": "d0d7939543a1b3bb93af9a18d258a774daf8f162",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
},
{
"lessThan": "1230fe7ad3974f7bf6c78901473e039b34d4fb1f",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_bpf_link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bpf: must hold reference on net namespace\n\nBUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0\nRead of size 8 at addr ffff8880106fe400 by task repro/72=\nbpf_nf_link_release+0xda/0x1e0\nbpf_link_free+0x139/0x2d0\nbpf_link_release+0x68/0x80\n__fput+0x414/0xb60\n\nEric says:\n It seems that bpf was able to defer the __nf_unregister_net_hook()\n after exit()/close() time.\n Perhaps a netns reference is missing, because the netns has been\n dismantled/freed already.\n bpf_nf_link_attach() does :\n link-\u003enet = net;\n But I do not see a reference being taken on net.\n\nAdd such a reference and release it after hook unreg.\nNote that I was unable to get syzbot reproducer to work, so I\ndo not know if this resolves this splat."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:46:01.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f41bd93b3e0508edc7ba820357f949071dcc0acc"
},
{
"url": "https://git.kernel.org/stable/c/d0d7939543a1b3bb93af9a18d258a774daf8f162"
},
{
"url": "https://git.kernel.org/stable/c/1230fe7ad3974f7bf6c78901473e039b34d4fb1f"
}
],
"title": "netfilter: bpf: must hold reference on net namespace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50130",
"datePublished": "2024-11-05T17:10:56.344Z",
"dateReserved": "2024-10-21T19:36:19.955Z",
"dateUpdated": "2026-05-11T20:46:01.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50252 (GCVE-0-2024-50252)
Vulnerability from cvelistv5 – Published: 2024-11-09 10:15 – Updated: 2026-05-11 20:48
VLAI
EPSS
Title
mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
The device stores IPv6 addresses that are used for encapsulation in
linear memory that is managed by the driver.
Changing the remote address of an ip6gre net device never worked
properly, but since cited commit the following reproducer [1] would
result in a warning [2] and a memory leak [3]. The problem is that the
new remote address is never added by the driver to its hash table (and
therefore the device) and the old address is never removed from it.
Fix by programming the new address when the configuration of the ip6gre
net device changes and removing the old one. If the address did not
change, then the above would result in increasing the reference count of
the address and then decreasing it.
[1]
# ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit
# ip link set dev bla type ip6gre remote 2001:db8:3::1
# ip link del dev bla
# devlink dev reload pci/0000:01:00.0
[2]
WARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0
Modules linked in:
CPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
RIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0
[...]
Call Trace:
<TASK>
mlxsw_sp_router_netdevice_event+0x55f/0x1240
notifier_call_chain+0x5a/0xd0
call_netdevice_notifiers_info+0x39/0x90
unregister_netdevice_many_notify+0x63e/0x9d0
rtnl_dellink+0x16b/0x3a0
rtnetlink_rcv_msg+0x142/0x3f0
netlink_rcv_skb+0x50/0x100
netlink_unicast+0x242/0x390
netlink_sendmsg+0x1de/0x420
____sys_sendmsg+0x2bd/0x320
___sys_sendmsg+0x9a/0xe0
__sys_sendmsg+0x7a/0xd0
do_syscall_64+0x9e/0x1a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
[3]
unreferenced object 0xffff898081f597a0 (size 32):
comm "ip", pid 1626, jiffies 4294719324
hex dump (first 32 bytes):
20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ...............
21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia.............
backtrace (crc fd9be911):
[<00000000df89c55d>] __kmalloc_cache_noprof+0x1da/0x260
[<00000000ff2a1ddb>] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340
[<000000009ddd445d>] mlxsw_sp_router_netdevice_event+0x47b/0x1240
[<00000000743e7757>] notifier_call_chain+0x5a/0xd0
[<000000007c7b9e13>] call_netdevice_notifiers_info+0x39/0x90
[<000000002509645d>] register_netdevice+0x5f7/0x7a0
[<00000000c2e7d2a9>] ip6gre_newlink_common.isra.0+0x65/0x130
[<0000000087cd6d8d>] ip6gre_newlink+0x72/0x120
[<000000004df7c7cc>] rtnl_newlink+0x471/0xa20
[<0000000057ed632a>] rtnetlink_rcv_msg+0x142/0x3f0
[<0000000032e0d5b5>] netlink_rcv_skb+0x50/0x100
[<00000000908bca63>] netlink_unicast+0x242/0x390
[<00000000cdbe1c87>] netlink_sendmsg+0x1de/0x420
[<0000000011db153e>] ____sys_sendmsg+0x2bd/0x320
[<000000003b6d53eb>] ___sys_sendmsg+0x9a/0xe0
[<00000000cae27c62>] __sys_sendmsg+0x7a/0xd0
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cf42911523e02026cb56d329e584ae5923e94ba1 , < d8f298eb6659eb6a38e26b79e77de4449dc6e61b
(git)
Affected: cf42911523e02026cb56d329e584ae5923e94ba1 , < 31384aa2ad05c29c7745000f321154f42de24d1a (git) Affected: cf42911523e02026cb56d329e584ae5923e94ba1 , < c1bbdbe07f0bc3bc9f87efe4672d67208c6d6942 (git) Affected: cf42911523e02026cb56d329e584ae5923e94ba1 , < 12ae97c531fcd3bfd774d4dfeaeac23eafe24280 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.116 , ≤ 6.1.* (semver) Unaffected: 6.6.60 , ≤ 6.6.* (semver) Unaffected: 6.11.7 , ≤ 6.11.* (semver) Unaffected: 6.12 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:15:48.404342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:24.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:27:33.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8f298eb6659eb6a38e26b79e77de4449dc6e61b",
"status": "affected",
"version": "cf42911523e02026cb56d329e584ae5923e94ba1",
"versionType": "git"
},
{
"lessThan": "31384aa2ad05c29c7745000f321154f42de24d1a",
"status": "affected",
"version": "cf42911523e02026cb56d329e584ae5923e94ba1",
"versionType": "git"
},
{
"lessThan": "c1bbdbe07f0bc3bc9f87efe4672d67208c6d6942",
"status": "affected",
"version": "cf42911523e02026cb56d329e584ae5923e94ba1",
"versionType": "git"
},
{
"lessThan": "12ae97c531fcd3bfd774d4dfeaeac23eafe24280",
"status": "affected",
"version": "cf42911523e02026cb56d329e584ae5923e94ba1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.116",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.60",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address\n\nThe device stores IPv6 addresses that are used for encapsulation in\nlinear memory that is managed by the driver.\n\nChanging the remote address of an ip6gre net device never worked\nproperly, but since cited commit the following reproducer [1] would\nresult in a warning [2] and a memory leak [3]. The problem is that the\nnew remote address is never added by the driver to its hash table (and\ntherefore the device) and the old address is never removed from it.\n\nFix by programming the new address when the configuration of the ip6gre\nnet device changes and removing the old one. If the address did not\nchange, then the above would result in increasing the reference count of\nthe address and then decreasing it.\n\n[1]\n # ip link add name bla up type ip6gre local 2001:db8:1::1 remote 2001:db8:2::1 tos inherit ttl inherit\n # ip link set dev bla type ip6gre remote 2001:db8:3::1\n # ip link del dev bla\n # devlink dev reload pci/0000:01:00.0\n\n[2]\nWARNING: CPU: 0 PID: 1682 at drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3002 mlxsw_sp_ipv6_addr_put+0x140/0x1d0\nModules linked in:\nCPU: 0 UID: 0 PID: 1682 Comm: ip Not tainted 6.12.0-rc3-custom-g86b5b55bc835 #151\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nRIP: 0010:mlxsw_sp_ipv6_addr_put+0x140/0x1d0\n[...]\nCall Trace:\n \u003cTASK\u003e\n mlxsw_sp_router_netdevice_event+0x55f/0x1240\n notifier_call_chain+0x5a/0xd0\n call_netdevice_notifiers_info+0x39/0x90\n unregister_netdevice_many_notify+0x63e/0x9d0\n rtnl_dellink+0x16b/0x3a0\n rtnetlink_rcv_msg+0x142/0x3f0\n netlink_rcv_skb+0x50/0x100\n netlink_unicast+0x242/0x390\n netlink_sendmsg+0x1de/0x420\n ____sys_sendmsg+0x2bd/0x320\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xd0\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[3]\nunreferenced object 0xffff898081f597a0 (size 32):\n comm \"ip\", pid 1626, jiffies 4294719324\n hex dump (first 32 bytes):\n 20 01 0d b8 00 02 00 00 00 00 00 00 00 00 00 01 ...............\n 21 49 61 83 80 89 ff ff 00 00 00 00 01 00 00 00 !Ia.............\n backtrace (crc fd9be911):\n [\u003c00000000df89c55d\u003e] __kmalloc_cache_noprof+0x1da/0x260\n [\u003c00000000ff2a1ddb\u003e] mlxsw_sp_ipv6_addr_kvdl_index_get+0x281/0x340\n [\u003c000000009ddd445d\u003e] mlxsw_sp_router_netdevice_event+0x47b/0x1240\n [\u003c00000000743e7757\u003e] notifier_call_chain+0x5a/0xd0\n [\u003c000000007c7b9e13\u003e] call_netdevice_notifiers_info+0x39/0x90\n [\u003c000000002509645d\u003e] register_netdevice+0x5f7/0x7a0\n [\u003c00000000c2e7d2a9\u003e] ip6gre_newlink_common.isra.0+0x65/0x130\n [\u003c0000000087cd6d8d\u003e] ip6gre_newlink+0x72/0x120\n [\u003c000000004df7c7cc\u003e] rtnl_newlink+0x471/0xa20\n [\u003c0000000057ed632a\u003e] rtnetlink_rcv_msg+0x142/0x3f0\n [\u003c0000000032e0d5b5\u003e] netlink_rcv_skb+0x50/0x100\n [\u003c00000000908bca63\u003e] netlink_unicast+0x242/0x390\n [\u003c00000000cdbe1c87\u003e] netlink_sendmsg+0x1de/0x420\n [\u003c0000000011db153e\u003e] ____sys_sendmsg+0x2bd/0x320\n [\u003c000000003b6d53eb\u003e] ___sys_sendmsg+0x9a/0xe0\n [\u003c00000000cae27c62\u003e] __sys_sendmsg+0x7a/0xd0"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:48:31.577Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8f298eb6659eb6a38e26b79e77de4449dc6e61b"
},
{
"url": "https://git.kernel.org/stable/c/31384aa2ad05c29c7745000f321154f42de24d1a"
},
{
"url": "https://git.kernel.org/stable/c/c1bbdbe07f0bc3bc9f87efe4672d67208c6d6942"
},
{
"url": "https://git.kernel.org/stable/c/12ae97c531fcd3bfd774d4dfeaeac23eafe24280"
}
],
"title": "mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50252",
"datePublished": "2024-11-09T10:15:00.949Z",
"dateReserved": "2024-10-21T19:36:19.979Z",
"dateUpdated": "2026-05-11T20:48:31.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…