Vulnerability-Lookup

CERTFR-2025-AVI-0308

Vulnerability from certfr_avis - Published: 2025-04-11 - Updated: 2025-04-11

De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un contournement de la politique de sécurité et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu 16.04 ESM
Ubuntu	Ubuntu	Ubuntu 24.04 LTS
Ubuntu	Ubuntu	Ubuntu 18.04 ESM
Ubuntu	Ubuntu	Ubuntu 20.04 LTS
Ubuntu	Ubuntu	Ubuntu 14.04 ESM
Ubuntu	Ubuntu	Ubuntu 22.04 LTS

References

Title

Publication Time

CVE-2024-26921 (GCVE-0-2024-26921)

Vulnerability from cvelistv5 – Published: 2024-04-18 09:47 – Updated: 2026-05-11 20:06

Title

inet: inet_defrag: prevent sk release while still in use

Summary

In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/1b6de5e6575b56502…
https://git.kernel.org/stable/c/9705f447bf9a6cd08…
https://git.kernel.org/stable/c/4318608dc28ef1841…
https://git.kernel.org/stable/c/7d0567842b78390dd…
https://git.kernel.org/stable/c/f4877225313d47465…
https://git.kernel.org/stable/c/e09cbe017311508c2…
https://git.kernel.org/stable/c/18685451fc4e546fc…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 1b6de5e6575b56502665c65cf93b0ae6aa0f51ab (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 9705f447bf9a6cd088300ad2c407b5e1c6591091 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 4318608dc28ef184158b4045896740716bea23f0 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 7d0567842b78390dd9b60f00f1d8f838d540e325 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < f4877225313d474659ee53150ccc3d553a978727 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < e09cbe017311508c21e0739e97198a8388b98981 (git) Affected: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab , < 18685451fc4e546fc0e718580d32df3c0e5c8272 (git)
Linux	Linux	Affected: 4.1 Unaffected: 0 , < 4.1 (semver) Unaffected: 5.4.285 , ≤ 5.4.* (semver) Unaffected: 5.10.227 , ≤ 5.10.* (semver) Unaffected: 5.15.168 , ≤ 5.15.* (semver) Unaffected: 6.1.85 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26921",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-18T19:03:24.189248Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T15:27:10.496Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:36:57.981Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/skbuff.h",
            "net/ipv4/inet_fragment.c",
            "net/ipv4/ip_fragment.c",
            "net/ipv6/netfilter/nf_conntrack_reasm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b6de5e6575b56502665c65cf93b0ae6aa0f51ab",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            },
            {
              "lessThan": "9705f447bf9a6cd088300ad2c407b5e1c6591091",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            },
            {
              "lessThan": "4318608dc28ef184158b4045896740716bea23f0",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            },
            {
              "lessThan": "7d0567842b78390dd9b60f00f1d8f838d540e325",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            },
            {
              "lessThan": "f4877225313d474659ee53150ccc3d553a978727",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            },
            {
              "lessThan": "e09cbe017311508c21e0739e97198a8388b98981",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            },
            {
              "lessThan": "18685451fc4e546fc0e718580d32df3c0e5c8272",
              "status": "affected",
              "version": "7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/skbuff.h",
            "net/ipv4/inet_fragment.c",
            "net/ipv4/ip_fragment.c",
            "net/ipv6/netfilter/nf_conntrack_reasm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.85",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.26",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.5",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb-\u003esk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug.  Quoting Eric:\n  Calling ip_defrag() in output path is also implying skb_orphan(),\n  which is buggy because output path relies on sk not disappearing.\n\n  A relevant old patch about the issue was :\n  8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n  [..]\n\n  net/ipv4/ip_output.c depends on skb-\u003esk being set, and probably to an\n  inet socket, not an arbitrary one.\n\n  If we orphan the packet in ipvlan, then downstream things like FQ\n  packet scheduler will not work properly.\n\n  We need to change ip_defrag() to only use skb_orphan() when really\n  needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead-\u003esk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff-\u003esk member, we must move the\noffset into the FRAG_CB, else skb-\u003esk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned.  This is\nsafe because skb gets queued/stolen and won\u0027t continue past reasm engine.\n\nIn the latter case, we will steal the skb-\u003esk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:06:57.402Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b6de5e6575b56502665c65cf93b0ae6aa0f51ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091"
        },
        {
          "url": "https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727"
        },
        {
          "url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981"
        },
        {
          "url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272"
        }
      ],
      "title": "inet: inet_defrag: prevent sk release while still in use",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26921",
    "datePublished": "2024-04-18T09:47:58.632Z",
    "dateReserved": "2024-02-19T14:20:24.194Z",
    "dateUpdated": "2026-05-11T20:06:57.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26928 (GCVE-0-2024-26928)

Vulnerability from cvelistv5 – Published: 2024-04-28 11:28 – Updated: 2026-05-11 20:07

Title

smb: client: fix potential UAF in cifs_debug_files_proc_show()

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/8f8718afd446cd4ea…
https://git.kernel.org/stable/c/a140224bcf87eb98a…
https://git.kernel.org/stable/c/229042314602db625…
https://git.kernel.org/stable/c/a65f2b56334ba4dc3…
https://git.kernel.org/stable/c/3402faf78b2516b0a…
https://git.kernel.org/stable/c/ca545b7f0823f19db…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075 , < 8f8718afd446cd4ea3b62bacc3eec09f8aae85ee (git) Affected: dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075 , < a140224bcf87eb98a87b67ff4c6826c57e47b704 (git) Affected: dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075 , < 229042314602db62559ecacba127067c22ee7b88 (git) Affected: dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075 , < a65f2b56334ba4dc30bd5ee9ce5b2691b973344d (git) Affected: dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075 , < 3402faf78b2516b0af1259baff50cc8453ef0bd1 (git) Affected: dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075 , < ca545b7f0823f19db0f1148d59bc5e1a56634502 (git)
Linux	Linux	Affected: 4.20 Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.237 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.85 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26928",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-09T18:40:05.314661Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:22:49.733Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:29:37.367Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifs_debug.c",
            "fs/smb/client/cifsglob.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8f8718afd446cd4ea3b62bacc3eec09f8aae85ee",
              "status": "affected",
              "version": "dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075",
              "versionType": "git"
            },
            {
              "lessThan": "a140224bcf87eb98a87b67ff4c6826c57e47b704",
              "status": "affected",
              "version": "dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075",
              "versionType": "git"
            },
            {
              "lessThan": "229042314602db62559ecacba127067c22ee7b88",
              "status": "affected",
              "version": "dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075",
              "versionType": "git"
            },
            {
              "lessThan": "a65f2b56334ba4dc30bd5ee9ce5b2691b973344d",
              "status": "affected",
              "version": "dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075",
              "versionType": "git"
            },
            {
              "lessThan": "3402faf78b2516b0af1259baff50cc8453ef0bd1",
              "status": "affected",
              "version": "dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075",
              "versionType": "git"
            },
            {
              "lessThan": "ca545b7f0823f19db0f1148d59bc5e1a56634502",
              "status": "affected",
              "version": "dfe33f9abc08997e56f9bdf14fe9ac7ac0e14075",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cifs_debug.c",
            "fs/smb/client/cifsglob.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.85",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.26",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.5",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:07:06.122Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8f8718afd446cd4ea3b62bacc3eec09f8aae85ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/a140224bcf87eb98a87b67ff4c6826c57e47b704"
        },
        {
          "url": "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502"
        }
      ],
      "title": "smb: client: fix potential UAF in cifs_debug_files_proc_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26928",
    "datePublished": "2024-04-28T11:28:01.529Z",
    "dateReserved": "2024-02-19T14:20:24.195Z",
    "dateUpdated": "2026-05-11T20:07:06.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-35864 (GCVE-0-2024-35864)

Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-05-23 15:43

Title

smb: client: fix potential UAF in smb2_is_valid_lease_break()

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/c868cabdf6fdd61be…
https://git.kernel.org/stable/c/f92739fdd4522c429…
https://git.kernel.org/stable/c/a8344e2b69bde63f7…
https://git.kernel.org/stable/c/705c76fbf726c7a2f…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < c868cabdf6fdd61bea54532271f4708254e57fc5 (git) Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < f92739fdd4522c4291277136399353d7c341fae4 (git) Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < a8344e2b69bde63f713b0aa796d70dbeadffddfb (git) Affected: 7f48558e6489d032b1584b0cc9ac4bb11072c034 , < 705c76fbf726c7a2f6ff9143d4013b18daaaebf1 (git) Affected: a67172a013953664b1dad03c648200c70b90506c (git) Affected: 3.12.48 , < 3.13 (semver)
Linux	Linux	Affected: 3.13 Unaffected: 0 , < 3.13 (semver) Unaffected: 6.1.85 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35864",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-29T18:32:19.453857Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:05.415Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.471Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c868cabdf6fdd61bea54532271f4708254e57fc5",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "f92739fdd4522c4291277136399353d7c341fae4",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "a8344e2b69bde63f713b0aa796d70dbeadffddfb",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "lessThan": "705c76fbf726c7a2f6ff9143d4013b18daaaebf1",
              "status": "affected",
              "version": "7f48558e6489d032b1584b0cc9ac4bb11072c034",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a67172a013953664b1dad03c648200c70b90506c",
              "versionType": "git"
            },
            {
              "lessThan": "3.13",
              "status": "affected",
              "version": "3.12.48",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.85",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.26",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.5",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.48",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:43:59.189Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb"
        },
        {
          "url": "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1"
        }
      ],
      "title": "smb: client: fix potential UAF in smb2_is_valid_lease_break()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35864",
    "datePublished": "2024-05-19T08:34:22.936Z",
    "dateReserved": "2024-05-17T13:50:33.107Z",
    "dateUpdated": "2026-05-23T15:43:59.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-35960 (GCVE-0-2024-35960)

Vulnerability from cvelistv5 – Published: 2024-05-20 09:41 – Updated: 2026-05-12 11:53

Title

net/mlx5: Properly link new fs rules into the tree

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Properly link new fs rules into the tree Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

12 references

URL	Tags
https://git.kernel.org/stable/c/de0139719cdda8280…
https://git.kernel.org/stable/c/1263b0b26077b1183…
https://git.kernel.org/stable/c/3d90ca9145f6b97b3…
https://git.kernel.org/stable/c/7aaee12b804c5e037…
https://git.kernel.org/stable/c/2e8dc5cffc844dacf…
https://git.kernel.org/stable/c/5cf5337ef701830f1…
https://git.kernel.org/stable/c/adf67a03af39095f0…
https://git.kernel.org/stable/c/7c6782ad4911cbee8…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

23 products

Vendor	Product	Version
Linux	Linux	Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < de0139719cdda82806a47580ca0df06fc85e0bd2 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 1263b0b26077b1183c3c45a0a2479573a351d423 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 7aaee12b804c5e0374e7b132b6ec2158ff33dd64 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 2e8dc5cffc844dacfa79f056dea88002312f253f (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 5cf5337ef701830f173b4eec00a4f984adeb57a0 (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < adf67a03af39095f05d82050f15813d6f700159d (git) Affected: 74491de937125d0c98c9b9c9208b4105717a3caa , < 7c6782ad4911cbee874e85630226ed389ff2e453 (git)
Linux	Linux	Affected: 4.10 Unaffected: 0 , < 4.10 (semver) Unaffected: 4.19.313 , ≤ 4.19.* (semver) Unaffected: 5.4.275 , ≤ 5.4.* (semver) Unaffected: 5.10.216 , ≤ 5.10.* (semver) Unaffected: 5.15.156 , ≤ 5.15.* (semver) Unaffected: 6.1.87 , ≤ 6.1.* (semver) Unaffected: 6.6.28 , ≤ 6.6.* (semver) Unaffected: 6.8.7 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)
linux	linux_kernel	Affected: 74491de93712 , < de0139719cdd (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Affected: 74491de93712 , < 3d90ca9145f6 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Affected: 74491de93712 , < 7aaee12b804c (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Affected: 74491de93712 , < 2e8dc5cffc84 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Affected: 74491de93712 , < 5cf5337ef701 (custom) cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	Affected: 74491de93712 , < adf67a03af39 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Affected: 74491de93712 , < 7c6782ad4911 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Affected: 4.10 cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 0 , < 4.10 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 4.19.313 , ≤ 4.20 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 0 , ≤ 5.5 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 5.10.216 , ≤ 5.11 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 5.15.156 , ≤ 5.16 (custom) cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	Unaffected: 6.1.87 , ≤ 6.2 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 6.6.28 , ≤ 6.7 (custom) cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	Unaffected: 6.8.7 , ≤ 6.9 (custom) cpe:2.3:o:linux:linux_kernel:-:::::::*
linux	linux_kernel	Unaffected: 6.9 cpe:2.3:o:linux:linux_kernel:-:::::::*
Siemens	RUGGEDCOM RST2428P	Affected: 0 , < V3.1 (custom)
Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family	Unaffected: 0 , < * (custom)
Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 family	Affected: 0 , < V3.1 (custom)
Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux subsystem	Affected: 0 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "de0139719cdd",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "3d90ca9145f6",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "7aaee12b804c",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "2e8dc5cffc84",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "5cf5337ef701",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "adf67a03af39",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "7c6782ad4911",
                "status": "affected",
                "version": "74491de93712",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "4.10"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "4.10",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "4.20",
                "status": "unaffected",
                "version": "4.19.313",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "5.5",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "5.11",
                "status": "unaffected",
                "version": "5.10.216",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "5.16",
                "status": "unaffected",
                "version": "5.15.156",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "6.2",
                "status": "unaffected",
                "version": "6.1.87",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "6.7",
                "status": "unaffected",
                "version": "6.6.28",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "6.9",
                "status": "unaffected",
                "version": "6.8.7",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unaffected",
                "version": "6.9"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-35960",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-16T21:09:41.022641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-16T21:09:59.289Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:49.117Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM RST2428P",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:53:13.263Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/fs_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de0139719cdda82806a47580ca0df06fc85e0bd2",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "1263b0b26077b1183c3c45a0a2479573a351d423",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "7aaee12b804c5e0374e7b132b6ec2158ff33dd64",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "2e8dc5cffc844dacfa79f056dea88002312f253f",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "5cf5337ef701830f173b4eec00a4f984adeb57a0",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "adf67a03af39095f05d82050f15813d6f700159d",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            },
            {
              "lessThan": "7c6782ad4911cbee874e85630226ed389ff2e453",
              "status": "affected",
              "version": "74491de937125d0c98c9b9c9208b4105717a3caa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/fs_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.313",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.275",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.216",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.313",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.275",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.216",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.156",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.87",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.28",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n   again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node-\u003eparent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:14:32.050Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801"
        },
        {
          "url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453"
        }
      ],
      "title": "net/mlx5: Properly link new fs rules into the tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35960",
    "datePublished": "2024-05-20T09:41:51.900Z",
    "dateReserved": "2024-05-17T13:50:33.137Z",
    "dateUpdated": "2026-05-12T11:53:13.263Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-35973 (GCVE-0-2024-35973)

Vulnerability from cvelistv5 – Published: 2024-05-20 09:42 – Updated: 2026-05-23 15:45

Title

geneve: fix header validation in geneve[6]_xmit_skb

Summary

In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

12 references

URL	Tags
https://git.kernel.org/stable/c/43be590456e1f3566…
https://git.kernel.org/stable/c/d3adf11d7993518a3…
https://git.kernel.org/stable/c/10204df9beda4978b…
https://git.kernel.org/stable/c/3c1ae6de74e3d2d63…
https://git.kernel.org/stable/c/4a1b65d1e55d53b39…
https://git.kernel.org/stable/c/190d9efa5773f26d6…
https://git.kernel.org/stable/c/357163fff3a6e48fe…
https://git.kernel.org/stable/c/d8a6213d70accb403…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

6 products

Vendor	Product	Version
Linux	Linux	Affected: 35385daa8db320d2d9664930c28e732578b0d7de , < 43be590456e1f3566054ce78ae2dbb68cbe1a536 (git) Affected: 6f92124d74419797fadfbcd5b7a72c384a6413ad , < d3adf11d7993518a39bd02b383cfe657ccc0023c (git) Affected: 71ad9260c001b217d704cda88ecea251b2d367da , < 10204df9beda4978bd1d0c2db0d8375bfb03b915 (git) Affected: d13f048dd40e8577260cd43faea8ec9b77520197 , < 3c1ae6de74e3d2d6333d29a2d3e13e6094596c79 (git) Affected: d13f048dd40e8577260cd43faea8ec9b77520197 , < 4a1b65d1e55d53b397cb27014208be1e04172670 (git) Affected: d13f048dd40e8577260cd43faea8ec9b77520197 , < 190d9efa5773f26d6f334b1b8be282c4fa13fd5e (git) Affected: d13f048dd40e8577260cd43faea8ec9b77520197 , < 357163fff3a6e48fe74745425a32071ec9caf852 (git) Affected: d13f048dd40e8577260cd43faea8ec9b77520197 , < d8a6213d70accb403b82924a1c229e733433a5ef (git) Affected: 9a51e36ebf433adf59c051bec33f5aa54640bb4d (git) Affected: 21815f28af8081b258552c111774ff320cf38d38 (git) Affected: 4.19.191 , < 4.19.313 (semver) Affected: 5.4.119 , < 5.4.275 (semver) Affected: 5.10.37 , < 5.10.216 (semver) Affected: 5.11.21 , < 5.12 (semver) Affected: 5.12.4 , < 5.13 (semver)
Linux	Linux	Affected: 5.13 Unaffected: 0 , < 5.13 (semver) Unaffected: 4.19.313 , ≤ 4.19.* (semver) Unaffected: 5.4.275 , ≤ 5.4.* (semver) Unaffected: 5.10.216 , ≤ 5.10.* (semver) Unaffected: 5.15.156 , ≤ 5.15.* (semver) Unaffected: 6.1.87 , ≤ 6.1.* (semver) Unaffected: 6.6.28 , ≤ 6.6.* (semver) Unaffected: 6.8.7 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Siemens	RUGGEDCOM RST2428P	Affected: 0 , < V3.1 (custom)
Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family	Unaffected: 0 , < * (custom)
Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 family	Affected: 0 , < V3.1 (custom)
Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux subsystem	Affected: 0 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-35973",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-29T18:16:33.435108Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-29T19:56:09.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:49.047Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM RST2428P",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:53:20.615Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/geneve.c",
            "include/net/ip_tunnels.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "43be590456e1f3566054ce78ae2dbb68cbe1a536",
              "status": "affected",
              "version": "35385daa8db320d2d9664930c28e732578b0d7de",
              "versionType": "git"
            },
            {
              "lessThan": "d3adf11d7993518a39bd02b383cfe657ccc0023c",
              "status": "affected",
              "version": "6f92124d74419797fadfbcd5b7a72c384a6413ad",
              "versionType": "git"
            },
            {
              "lessThan": "10204df9beda4978bd1d0c2db0d8375bfb03b915",
              "status": "affected",
              "version": "71ad9260c001b217d704cda88ecea251b2d367da",
              "versionType": "git"
            },
            {
              "lessThan": "3c1ae6de74e3d2d6333d29a2d3e13e6094596c79",
              "status": "affected",
              "version": "d13f048dd40e8577260cd43faea8ec9b77520197",
              "versionType": "git"
            },
            {
              "lessThan": "4a1b65d1e55d53b397cb27014208be1e04172670",
              "status": "affected",
              "version": "d13f048dd40e8577260cd43faea8ec9b77520197",
              "versionType": "git"
            },
            {
              "lessThan": "190d9efa5773f26d6f334b1b8be282c4fa13fd5e",
              "status": "affected",
              "version": "d13f048dd40e8577260cd43faea8ec9b77520197",
              "versionType": "git"
            },
            {
              "lessThan": "357163fff3a6e48fe74745425a32071ec9caf852",
              "status": "affected",
              "version": "d13f048dd40e8577260cd43faea8ec9b77520197",
              "versionType": "git"
            },
            {
              "lessThan": "d8a6213d70accb403b82924a1c229e733433a5ef",
              "status": "affected",
              "version": "d13f048dd40e8577260cd43faea8ec9b77520197",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9a51e36ebf433adf59c051bec33f5aa54640bb4d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "21815f28af8081b258552c111774ff320cf38d38",
              "versionType": "git"
            },
            {
              "lessThan": "4.19.313",
              "status": "affected",
              "version": "4.19.191",
              "versionType": "semver"
            },
            {
              "lessThan": "5.4.275",
              "status": "affected",
              "version": "5.4.119",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.216",
              "status": "affected",
              "version": "5.10.37",
              "versionType": "semver"
            },
            {
              "lessThan": "5.12",
              "status": "affected",
              "version": "5.11.21",
              "versionType": "semver"
            },
            {
              "lessThan": "5.13",
              "status": "affected",
              "version": "5.12.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/geneve.c",
            "include/net/ip_tunnels.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.313",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.275",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.216",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.313",
                  "versionStartIncluding": "4.19.191",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.275",
                  "versionStartIncluding": "5.4.119",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.216",
                  "versionStartIncluding": "5.10.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.156",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.87",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.28",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.7",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb-\u003eprotocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb-\u003eprotocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n   - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n  geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n  __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n  netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n  xmit_one net/core/dev.c:3531 [inline]\n  dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n  __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n  dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n  packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n  packet_snd net/packet/af_packet.c:3081 [inline]\n  packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n  slab_post_alloc_hook mm/slub.c:3804 [inline]\n  slab_alloc_node mm/slub.c:3845 [inline]\n  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n  alloc_skb include/linux/skbuff.h:1318 [inline]\n  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n  packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n  packet_snd net/packet/af_packet.c:3024 [inline]\n  packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  __sys_sendto+0x685/0x830 net/socket.c:2191\n  __do_sys_sendto net/socket.c:2203 [inline]\n  __se_sys_sendto net/socket.c:2199 [inline]\n  __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:45:36.681Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c"
        },
        {
          "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670"
        },
        {
          "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef"
        }
      ],
      "title": "geneve: fix header validation in geneve[6]_xmit_skb",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35973",
    "datePublished": "2024-05-20T09:42:00.475Z",
    "dateReserved": "2024-05-17T13:50:33.142Z",
    "dateUpdated": "2026-05-23T15:45:36.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-36476 (GCVE-0-2024-36476)

Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2026-05-11 20:16

Title

RDMA/rtrs: Ensure 'ib_sge list' is accessible

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block to ensure it remains accessible for use throughout the function. Previously, 'ib_sge list' was declared within the 'always_invalidate' block, limiting its accessibility, then caused a 'BUG: kernel NULL pointer dereference'[1]. ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2d0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? memcpy_orig+0xd5/0x140 rxe_mr_copy+0x1c3/0x200 [rdma_rxe] ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe] copy_data+0xa5/0x230 [rdma_rxe] rxe_requester+0xd9b/0xf70 [rdma_rxe] ? finish_task_switch.isra.0+0x99/0x2e0 rxe_sender+0x13/0x40 [rdma_rxe] do_task+0x68/0x1e0 [rdma_rxe] process_one_work+0x177/0x330 worker_thread+0x252/0x390 ? __pfx_worker_thread+0x10/0x10 This change ensures the variable is available for subsequent operations that require it. [1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/7eaa71f56a6f7ab87…
https://git.kernel.org/stable/c/143378075904e78b3…
https://git.kernel.org/stable/c/32e1e748a85bd52b2…
https://git.kernel.org/stable/c/b238f61cc394d5fef…
https://git.kernel.org/stable/c/6ffb5c1885195ae52…
https://git.kernel.org/stable/c/fb514b31395946022…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 9cb837480424e78ed585376f944088246685aec3 , < 7eaa71f56a6f7ab87957213472dc6d4055862722 (git) Affected: 9cb837480424e78ed585376f944088246685aec3 , < 143378075904e78b3b2a810099bcc3b3d82d762f (git) Affected: 9cb837480424e78ed585376f944088246685aec3 , < 32e1e748a85bd52b20b3857d80fd166d22fa455a (git) Affected: 9cb837480424e78ed585376f944088246685aec3 , < b238f61cc394d5fef27b26d7d9aa383ebfddabb0 (git) Affected: 9cb837480424e78ed585376f944088246685aec3 , < 6ffb5c1885195ae5211a12b4acd2d51843ca41b0 (git) Affected: 9cb837480424e78ed585376f944088246685aec3 , < fb514b31395946022f13a08e06a435f53cf9e8b3 (git)
Linux	Linux	Affected: 5.8 Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.233 , ≤ 5.10.* (semver) Unaffected: 5.15.176 , ≤ 5.15.* (semver) Unaffected: 6.1.124 , ≤ 6.1.* (semver) Unaffected: 6.6.70 , ≤ 6.6.* (semver) Unaffected: 6.12.9 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-36476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:54:29.846906Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:18.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:37:45.505Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/rtrs/rtrs-srv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7eaa71f56a6f7ab87957213472dc6d4055862722",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "143378075904e78b3b2a810099bcc3b3d82d762f",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "32e1e748a85bd52b20b3857d80fd166d22fa455a",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "b238f61cc394d5fef27b26d7d9aa383ebfddabb0",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "6ffb5c1885195ae5211a12b4acd2d51843ca41b0",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            },
            {
              "lessThan": "fb514b31395946022f13a08e06a435f53cf9e8b3",
              "status": "affected",
              "version": "9cb837480424e78ed585376f944088246685aec3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/ulp/rtrs/rtrs-srv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.233",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.176",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs: Ensure \u0027ib_sge list\u0027 is accessible\n\nMove the declaration of the \u0027ib_sge list\u0027 variable outside the\n\u0027always_invalidate\u0027 block to ensure it remains accessible for use\nthroughout the function.\n\nPreviously, \u0027ib_sge list\u0027 was declared within the \u0027always_invalidate\u0027\nblock, limiting its accessibility, then caused a\n\u0027BUG: kernel NULL pointer dereference\u0027[1].\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2d0\n ? search_module_extables+0x19/0x60\n ? search_bpf_extables+0x5f/0x80\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? memcpy_orig+0xd5/0x140\n rxe_mr_copy+0x1c3/0x200 [rdma_rxe]\n ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]\n copy_data+0xa5/0x230 [rdma_rxe]\n rxe_requester+0xd9b/0xf70 [rdma_rxe]\n ? finish_task_switch.isra.0+0x99/0x2e0\n rxe_sender+0x13/0x40 [rdma_rxe]\n do_task+0x68/0x1e0 [rdma_rxe]\n process_one_work+0x177/0x330\n worker_thread+0x252/0x390\n ? __pfx_worker_thread+0x10/0x10\n\nThis change ensures the variable is available for subsequent operations\nthat require it.\n\n[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:16:09.024Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7eaa71f56a6f7ab87957213472dc6d4055862722"
        },
        {
          "url": "https://git.kernel.org/stable/c/143378075904e78b3b2a810099bcc3b3d82d762f"
        },
        {
          "url": "https://git.kernel.org/stable/c/32e1e748a85bd52b20b3857d80fd166d22fa455a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b238f61cc394d5fef27b26d7d9aa383ebfddabb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ffb5c1885195ae5211a12b4acd2d51843ca41b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb514b31395946022f13a08e06a435f53cf9e8b3"
        }
      ],
      "title": "RDMA/rtrs: Ensure \u0027ib_sge list\u0027 is accessible",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36476",
    "datePublished": "2025-01-15T13:10:20.507Z",
    "dateReserved": "2025-01-15T13:08:59.730Z",
    "dateUpdated": "2026-05-11T20:16:09.024Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-36899 (GCVE-0-2024-36899)

Vulnerability from cvelistv5 – Published: 2024-05-30 15:29 – Updated: 2026-05-12 11:53

Title

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

Summary

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/2dfbb920a89bdc580…
https://git.kernel.org/stable/c/2d008d4961b039d2e…
https://git.kernel.org/stable/c/d38c49f7bdf143812…
https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8…
https://git.kernel.org/stable/c/ca710b5f40b8b16fd…
https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d0…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 51c1064e82e77b39a49889287ca50709303e2f26 , < 2dfbb920a89bdc58087672ad5325dc6c588b6860 (git) Affected: 51c1064e82e77b39a49889287ca50709303e2f26 , < 2d008d4961b039d2edce8976289773961b7e5fb5 (git) Affected: 51c1064e82e77b39a49889287ca50709303e2f26 , < d38c49f7bdf14381270736299e2ff68ec248a017 (git) Affected: 51c1064e82e77b39a49889287ca50709303e2f26 , < 95ca7c90eaf5ea8a8460536535101e3e81160e2a (git) Affected: 51c1064e82e77b39a49889287ca50709303e2f26 , < ca710b5f40b8b16fdcad50bebd47f50e4c62d239 (git) Affected: 51c1064e82e77b39a49889287ca50709303e2f26 , < 02f6b0e1ec7e0e7d059dddc893645816552039da (git)
Linux	Linux	Affected: 5.7 Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.234 , ≤ 5.10.* (semver) Unaffected: 5.15.177 , ≤ 5.15.* (semver) Unaffected: 6.1.127 , ≤ 6.1.* (semver) Unaffected: 6.6.31 , ≤ 6.6.* (semver) Unaffected: 6.8.10 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux subsystem	Affected: 0 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36899",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-10T18:48:31.477532Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-10T18:48:41.419Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:37:56.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:53:59.615Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpiolib-cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2dfbb920a89bdc58087672ad5325dc6c588b6860",
              "status": "affected",
              "version": "51c1064e82e77b39a49889287ca50709303e2f26",
              "versionType": "git"
            },
            {
              "lessThan": "2d008d4961b039d2edce8976289773961b7e5fb5",
              "status": "affected",
              "version": "51c1064e82e77b39a49889287ca50709303e2f26",
              "versionType": "git"
            },
            {
              "lessThan": "d38c49f7bdf14381270736299e2ff68ec248a017",
              "status": "affected",
              "version": "51c1064e82e77b39a49889287ca50709303e2f26",
              "versionType": "git"
            },
            {
              "lessThan": "95ca7c90eaf5ea8a8460536535101e3e81160e2a",
              "status": "affected",
              "version": "51c1064e82e77b39a49889287ca50709303e2f26",
              "versionType": "git"
            },
            {
              "lessThan": "ca710b5f40b8b16fdcad50bebd47f50e4c62d239",
              "status": "affected",
              "version": "51c1064e82e77b39a49889287ca50709303e2f26",
              "versionType": "git"
            },
            {
              "lessThan": "02f6b0e1ec7e0e7d059dddc893645816552039da",
              "status": "affected",
              "version": "51c1064e82e77b39a49889287ca50709303e2f26",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpiolib-cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.31",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: cdev: Fix use after free in lineinfo_changed_notify\n\nThe use-after-free issue occurs as follows: when the GPIO chip device file\nis being closed by invoking gpio_chrdev_release(), watched_lines is freed\nby bitmap_free(), but the unregistration of lineinfo_changed_nb notifier\nchain failed due to waiting write rwsem. Additionally, one of the GPIO\nchip\u0027s lines is also in the release process and holds the notifier chain\u0027s\nread rwsem. Consequently, a race condition leads to the use-after-free of\nwatched_lines.\n\nHere is the typical stack when issue happened:\n\n[free]\ngpio_chrdev_release()\n  --\u003e bitmap_free(cdev-\u003ewatched_lines)                  \u003c-- freed\n  --\u003e blocking_notifier_chain_unregister()\n    --\u003e down_write(\u0026nh-\u003erwsem)                          \u003c-- waiting rwsem\n          --\u003e __down_write_common()\n            --\u003e rwsem_down_write_slowpath()\n                  --\u003e schedule_preempt_disabled()\n                    --\u003e schedule()\n\n[use]\nst54spi_gpio_dev_release()\n  --\u003e gpio_free()\n    --\u003e gpiod_free()\n      --\u003e gpiod_free_commit()\n        --\u003e gpiod_line_state_notify()\n          --\u003e blocking_notifier_call_chain()\n            --\u003e down_read(\u0026nh-\u003erwsem);                  \u003c-- held rwsem\n            --\u003e notifier_call_chain()\n              --\u003e lineinfo_changed_notify()\n                --\u003e test_bit(xxxx, cdev-\u003ewatched_lines) \u003c-- use after free\n\nThe side effect of the use-after-free issue is that a GPIO line event is\nbeing generated for userspace where it shouldn\u0027t. However, since the chrdev\nis being closed, userspace won\u0027t have the chance to read that event anyway.\n\nTo fix the issue, call the bitmap_free() function after the unregistration\nof lineinfo_changed_nb notifier chain."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:16:38.977Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2dfbb920a89bdc58087672ad5325dc6c588b6860"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d008d4961b039d2edce8976289773961b7e5fb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d38c49f7bdf14381270736299e2ff68ec248a017"
        },
        {
          "url": "https://git.kernel.org/stable/c/95ca7c90eaf5ea8a8460536535101e3e81160e2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca710b5f40b8b16fdcad50bebd47f50e4c62d239"
        },
        {
          "url": "https://git.kernel.org/stable/c/02f6b0e1ec7e0e7d059dddc893645816552039da"
        }
      ],
      "title": "gpiolib: cdev: Fix use after free in lineinfo_changed_notify",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36899",
    "datePublished": "2024-05-30T15:29:02.591Z",
    "dateReserved": "2024-05-30T15:25:07.066Z",
    "dateUpdated": "2026-05-12T11:53:59.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-42069 (GCVE-0-2024-42069)

Vulnerability from cvelistv5 – Published: 2024-07-29 15:52 – Updated: 2026-05-11 20:26

Title

net: mana: Fix possible double free in error handling path

Summary

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix possible double free in error handling path When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function adev_release calls kfree(madev). We shouldn't call kfree(madev) again in the error handling path. Set 'madev' to NULL.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/3243e64eb4d897c3e…
https://git.kernel.org/stable/c/ed45c0a0b662079d4…
https://git.kernel.org/stable/c/1864b8224195d0e43…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < 3243e64eb4d897c3eeb48b2a7221ab5a95e1282a (git) Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < ed45c0a0b662079d4c0e518014cc148c753979b4 (git) Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < 1864b8224195d0e43ddb92a8151f54f6562090cc (git)
Linux	Linux	Affected: 6.2 Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.37 , ≤ 6.6.* (semver) Unaffected: 6.9.8 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:30:29.384Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3243e64eb4d897c3eeb48b2a7221ab5a95e1282a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ed45c0a0b662079d4c0e518014cc148c753979b4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1864b8224195d0e43ddb92a8151f54f6562090cc"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:19:49.454221Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:08.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/microsoft/mana/mana_en.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3243e64eb4d897c3eeb48b2a7221ab5a95e1282a",
              "status": "affected",
              "version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
              "versionType": "git"
            },
            {
              "lessThan": "ed45c0a0b662079d4c0e518014cc148c753979b4",
              "status": "affected",
              "version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
              "versionType": "git"
            },
            {
              "lessThan": "1864b8224195d0e43ddb92a8151f54f6562090cc",
              "status": "affected",
              "version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/microsoft/mana/mana_en.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.37",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix possible double free in error handling path\n\nWhen auxiliary_device_add() returns error and then calls\nauxiliary_device_uninit(), callback function adev_release\ncalls kfree(madev). We shouldn\u0027t call kfree(madev) again\nin the error handling path. Set \u0027madev\u0027 to NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:26:22.756Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3243e64eb4d897c3eeb48b2a7221ab5a95e1282a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed45c0a0b662079d4c0e518014cc148c753979b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/1864b8224195d0e43ddb92a8151f54f6562090cc"
        }
      ],
      "title": "net: mana: Fix possible double free in error handling path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-42069",
    "datePublished": "2024-07-29T15:52:33.273Z",
    "dateReserved": "2024-07-29T15:50:41.168Z",
    "dateUpdated": "2026-05-11T20:26:22.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-42315 (GCVE-0-2024-42315)

Vulnerability from cvelistv5 – Published: 2024-08-17 09:09 – Updated: 2026-05-23 15:52

Title

exfat: fix potential deadlock on __exfat_get_dentry_set

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix potential deadlock on __exfat_get_dentry_set When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array is allocated in __exfat_get_entry_set. The problem is that the bh-array is allocated with GFP_KERNEL. It does not make sense. In the following cases, a deadlock for sbi->s_lock between the two processes may occur. CPU0 CPU1 ---- ---- kswapd balance_pgdat lock(fs_reclaim) exfat_iterate lock(&sbi->s_lock) exfat_readdir exfat_get_uniname_from_ext_entry exfat_get_dentry_set __exfat_get_dentry_set kmalloc_array ... lock(fs_reclaim) ... evict exfat_evict_inode lock(&sbi->s_lock) To fix this, let's allocate bh-array with GFP_NOFS.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/632fb232b6bbf8277…
https://git.kernel.org/stable/c/c052f775ee6ccacd3…
https://git.kernel.org/stable/c/cd1c7858641384191…
https://git.kernel.org/stable/c/a7ac198f8dba791e3…
https://git.kernel.org/stable/c/1d1970493c289e3f4…
https://git.kernel.org/stable/c/89fc548767a215523…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: bd3bdb9e0d656f760b11d0c638d35d7f7068144d , < 632fb232b6bbf8277edcbe9ecd4b4d98ecb122eb (git) Affected: 92dcd7d6c6068bf4fd35a6f64d606e27d634807e , < c052f775ee6ccacd3c97e4cf41a2a657e63d4259 (git) Affected: d8fe01ad2d8ab33aaf8f2efad9e8f1dae11c4b0c , < cd1c7858641384191ff7033fb1fc65dfcd559c6f (git) Affected: a3ff29a95fde16906304455aa8c0bd84eb770258 , < a7ac198f8dba791e3144c4da48a5a9b95773ee4b (git) Affected: a3ff29a95fde16906304455aa8c0bd84eb770258 , < 1d1970493c289e3f44b9ec847ed26a5dbdf56a62 (git) Affected: a3ff29a95fde16906304455aa8c0bd84eb770258 , < 89fc548767a2155231128cb98726d6d2ea1256c9 (git) Affected: 5.10.190 , < 5.10.232 (semver) Affected: 5.15.150 , < 5.15.175 (semver)
Linux	Linux	Affected: 6.2 Unaffected: 0 , < 6.2 (semver) Unaffected: 5.10.232 , ≤ 5.10.* (semver) Unaffected: 5.15.175 , ≤ 5.15.* (semver) Unaffected: 6.6.44 , ≤ 6.6.* (semver) Unaffected: 6.10.3 , ≤ 6.10.* (semver) Unaffected: 6.11 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42315",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:09:45.977516Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:26.638Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:38:38.291Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "632fb232b6bbf8277edcbe9ecd4b4d98ecb122eb",
              "status": "affected",
              "version": "bd3bdb9e0d656f760b11d0c638d35d7f7068144d",
              "versionType": "git"
            },
            {
              "lessThan": "c052f775ee6ccacd3c97e4cf41a2a657e63d4259",
              "status": "affected",
              "version": "92dcd7d6c6068bf4fd35a6f64d606e27d634807e",
              "versionType": "git"
            },
            {
              "lessThan": "cd1c7858641384191ff7033fb1fc65dfcd559c6f",
              "status": "affected",
              "version": "d8fe01ad2d8ab33aaf8f2efad9e8f1dae11c4b0c",
              "versionType": "git"
            },
            {
              "lessThan": "a7ac198f8dba791e3144c4da48a5a9b95773ee4b",
              "status": "affected",
              "version": "a3ff29a95fde16906304455aa8c0bd84eb770258",
              "versionType": "git"
            },
            {
              "lessThan": "1d1970493c289e3f44b9ec847ed26a5dbdf56a62",
              "status": "affected",
              "version": "a3ff29a95fde16906304455aa8c0bd84eb770258",
              "versionType": "git"
            },
            {
              "lessThan": "89fc548767a2155231128cb98726d6d2ea1256c9",
              "status": "affected",
              "version": "a3ff29a95fde16906304455aa8c0bd84eb770258",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.232",
              "status": "affected",
              "version": "5.10.190",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.175",
              "status": "affected",
              "version": "5.15.150",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.232",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.232",
                  "versionStartIncluding": "5.10.190",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.175",
                  "versionStartIncluding": "5.15.150",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.44",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix potential deadlock on __exfat_get_dentry_set\n\nWhen accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array\nis allocated in __exfat_get_entry_set. The problem is that the bh-array is\nallocated with GFP_KERNEL. It does not make sense. In the following cases,\na deadlock for sbi-\u003es_lock between the two processes may occur.\n\n       CPU0                CPU1\n       ----                ----\n  kswapd\n   balance_pgdat\n    lock(fs_reclaim)\n                      exfat_iterate\n                       lock(\u0026sbi-\u003es_lock)\n                       exfat_readdir\n                        exfat_get_uniname_from_ext_entry\n                         exfat_get_dentry_set\n                          __exfat_get_dentry_set\n                           kmalloc_array\n                            ...\n                            lock(fs_reclaim)\n    ...\n    evict\n     exfat_evict_inode\n      lock(\u0026sbi-\u003es_lock)\n\nTo fix this, let\u0027s allocate bh-array with GFP_NOFS."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:52:53.654Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/632fb232b6bbf8277edcbe9ecd4b4d98ecb122eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/c052f775ee6ccacd3c97e4cf41a2a657e63d4259"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd1c7858641384191ff7033fb1fc65dfcd559c6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7ac198f8dba791e3144c4da48a5a9b95773ee4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d1970493c289e3f44b9ec847ed26a5dbdf56a62"
        },
        {
          "url": "https://git.kernel.org/stable/c/89fc548767a2155231128cb98726d6d2ea1256c9"
        }
      ],
      "title": "exfat: fix potential deadlock on __exfat_get_dentry_set",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-42315",
    "datePublished": "2024-08-17T09:09:23.779Z",
    "dateReserved": "2024-07-30T07:40:12.278Z",
    "dateUpdated": "2026-05-23T15:52:53.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-43098 (GCVE-0-2024-43098)

Vulnerability from cvelistv5 – Published: 2025-01-11 12:25 – Updated: 2026-05-11 20:30

Title

i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock A deadlock may happen since the i3c_master_register() acquires &i3cbus->lock twice. See the log below. Use i3cdev->desc->info instead of calling i3c_device_info() to avoid acquiring the lock twice. v2: - Modified the title and commit message ============================================ WARNING: possible recursive locking detected 6.11.0-mainline -------------------------------------------- init/1 is trying to acquire lock: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock but task is already holding lock: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&i3cbus->lock); lock(&i3cbus->lock); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by init/1: #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register stack backtrace: CPU: 6 UID: 0 PID: 1 Comm: init Call trace: dump_backtrace+0xfc/0x17c show_stack+0x18/0x28 dump_stack_lvl+0x40/0xc0 dump_stack+0x18/0x24 print_deadlock_bug+0x388/0x390 __lock_acquire+0x18bc/0x32ec lock_acquire+0x134/0x2b0 down_read+0x50/0x19c i3c_bus_normaluse_lock+0x14/0x24 i3c_device_get_info+0x24/0x58 i3c_device_uevent+0x34/0xa4 dev_uevent+0x310/0x384 kobject_uevent_env+0x244/0x414 kobject_uevent+0x14/0x20 device_add+0x278/0x460 device_register+0x20/0x34 i3c_master_register_new_i3c_devs+0x78/0x154 i3c_master_register+0x6a0/0x6d4 mtk_i3c_master_probe+0x3b8/0x4d8 platform_probe+0xa0/0xe0 really_probe+0x114/0x454 __driver_probe_device+0xa0/0x15c driver_probe_device+0x3c/0x1ac __driver_attach+0xc4/0x1f0 bus_for_each_dev+0x104/0x160 driver_attach+0x24/0x34 bus_add_driver+0x14c/0x294 driver_register+0x68/0x104 __platform_driver_register+0x20/0x30 init_module+0x20/0xfe4 do_one_initcall+0x184/0x464 do_init_module+0x58/0x1ec load_module+0xefc/0x10c8 __arm64_sys_finit_module+0x238/0x33c invoke_syscall+0x58/0x10c el0_svc_common+0xa8/0xdc do_el0_svc+0x1c/0x28 el0_svc+0x50/0xac el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1a8/0x1ac

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/9a2173660ee53d569…
https://git.kernel.org/stable/c/5ac1dd51aaa0ce8b5…
https://git.kernel.org/stable/c/2d98fa2a50b8058de…
https://git.kernel.org/stable/c/816187b1833908941…
https://git.kernel.org/stable/c/ffe19e363c6f8b992…
https://git.kernel.org/stable/c/1f51ae217d09c361e…
https://git.kernel.org/stable/c/6cf7b65f7029914dc…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 9a2173660ee53d5699744f02e6ab7bf89fcd0b1a (git) Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 5ac1dd51aaa0ce8b5421d1137e857955a4b6f55e (git) Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 2d98fa2a50b8058de52ada168fa5dbabb574711b (git) Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 816187b1833908941286e71b0041059a4acd52ed (git) Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < ffe19e363c6f8b992ba835a361542568dea17409 (git) Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 1f51ae217d09c361ede900b94735a6d2df6c0344 (git) Affected: 3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0 , < 6cf7b65f7029914dc0cd7db86fac9ee5159008c6 (git)
Linux	Linux	Affected: 5.0 Unaffected: 0 , < 5.0 (semver) Unaffected: 5.4.287 , ≤ 5.4.* (semver) Unaffected: 5.10.231 , ≤ 5.10.* (semver) Unaffected: 5.15.174 , ≤ 5.15.* (semver) Unaffected: 6.1.120 , ≤ 6.1.* (semver) Unaffected: 6.6.66 , ≤ 6.6.* (semver) Unaffected: 6.12.5 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-43098",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:56:01.817545Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:22.947Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:38:43.911Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a2173660ee53d5699744f02e6ab7bf89fcd0b1a",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "5ac1dd51aaa0ce8b5421d1137e857955a4b6f55e",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "2d98fa2a50b8058de52ada168fa5dbabb574711b",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "816187b1833908941286e71b0041059a4acd52ed",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "ffe19e363c6f8b992ba835a361542568dea17409",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "1f51ae217d09c361ede900b94735a6d2df6c0344",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            },
            {
              "lessThan": "6cf7b65f7029914dc0cd7db86fac9ee5159008c6",
              "status": "affected",
              "version": "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i3c/master.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.66",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.66",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Use i3cdev-\u003edesc-\u003einfo instead of calling i3c_device_get_info() to avoid deadlock\n\nA deadlock may happen since the i3c_master_register() acquires\n\u0026i3cbus-\u003elock twice. See the log below.\nUse i3cdev-\u003edesc-\u003einfo instead of calling i3c_device_info() to\navoid acquiring the lock twice.\n\nv2:\n  - Modified the title and commit message\n\n============================================\nWARNING: possible recursive locking detected\n6.11.0-mainline\n--------------------------------------------\ninit/1 is trying to acquire lock:\nf1ffff80a6a40dc0 (\u0026i3cbus-\u003elock){++++}-{3:3}, at: i3c_bus_normaluse_lock\n\nbut task is already holding lock:\nf1ffff80a6a40dc0 (\u0026i3cbus-\u003elock){++++}-{3:3}, at: i3c_master_register\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n       CPU0\n       ----\n  lock(\u0026i3cbus-\u003elock);\n  lock(\u0026i3cbus-\u003elock);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n2 locks held by init/1:\n #0: fcffff809b6798f8 (\u0026dev-\u003emutex){....}-{3:3}, at: __driver_attach\n #1: f1ffff80a6a40dc0 (\u0026i3cbus-\u003elock){++++}-{3:3}, at: i3c_master_register\n\nstack backtrace:\nCPU: 6 UID: 0 PID: 1 Comm: init\nCall trace:\n dump_backtrace+0xfc/0x17c\n show_stack+0x18/0x28\n dump_stack_lvl+0x40/0xc0\n dump_stack+0x18/0x24\n print_deadlock_bug+0x388/0x390\n __lock_acquire+0x18bc/0x32ec\n lock_acquire+0x134/0x2b0\n down_read+0x50/0x19c\n i3c_bus_normaluse_lock+0x14/0x24\n i3c_device_get_info+0x24/0x58\n i3c_device_uevent+0x34/0xa4\n dev_uevent+0x310/0x384\n kobject_uevent_env+0x244/0x414\n kobject_uevent+0x14/0x20\n device_add+0x278/0x460\n device_register+0x20/0x34\n i3c_master_register_new_i3c_devs+0x78/0x154\n i3c_master_register+0x6a0/0x6d4\n mtk_i3c_master_probe+0x3b8/0x4d8\n platform_probe+0xa0/0xe0\n really_probe+0x114/0x454\n __driver_probe_device+0xa0/0x15c\n driver_probe_device+0x3c/0x1ac\n __driver_attach+0xc4/0x1f0\n bus_for_each_dev+0x104/0x160\n driver_attach+0x24/0x34\n bus_add_driver+0x14c/0x294\n driver_register+0x68/0x104\n __platform_driver_register+0x20/0x30\n init_module+0x20/0xfe4\n do_one_initcall+0x184/0x464\n do_init_module+0x58/0x1ec\n load_module+0xefc/0x10c8\n __arm64_sys_finit_module+0x238/0x33c\n invoke_syscall+0x58/0x10c\n el0_svc_common+0xa8/0xdc\n do_el0_svc+0x1c/0x28\n el0_svc+0x50/0xac\n el0t_64_sync_handler+0x70/0xbc\n el0t_64_sync+0x1a8/0x1ac"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:30:14.212Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a2173660ee53d5699744f02e6ab7bf89fcd0b1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ac1dd51aaa0ce8b5421d1137e857955a4b6f55e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d98fa2a50b8058de52ada168fa5dbabb574711b"
        },
        {
          "url": "https://git.kernel.org/stable/c/816187b1833908941286e71b0041059a4acd52ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/ffe19e363c6f8b992ba835a361542568dea17409"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f51ae217d09c361ede900b94735a6d2df6c0344"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cf7b65f7029914dc0cd7db86fac9ee5159008c6"
        }
      ],
      "title": "i3c: Use i3cdev-\u003edesc-\u003einfo instead of calling i3c_device_get_info() to avoid deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-43098",
    "datePublished": "2025-01-11T12:25:10.587Z",
    "dateReserved": "2025-01-09T09:51:32.424Z",
    "dateUpdated": "2026-05-11T20:30:14.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0308

Solutions

CVE-2024-26921 (GCVE-0-2024-26921)

CVE-2024-26928 (GCVE-0-2024-26928)

CVE-2024-35864 (GCVE-0-2024-35864)

CVE-2024-35960 (GCVE-0-2024-35960)

CVE-2024-35973 (GCVE-0-2024-35973)

CVE-2024-36476 (GCVE-0-2024-36476)

CVE-2024-36899 (GCVE-0-2024-36899)

CVE-2024-42069 (GCVE-0-2024-42069)

CVE-2024-42315 (GCVE-0-2024-42315)

CVE-2024-43098 (GCVE-0-2024-43098)

Tags

Sightings

Nomenclature