Vulnerability-Lookup

SUSE-SU-2024:2369-1

Vulnerability from csaf_suse - Published: 2024-07-09 14:09 - Updated: 2024-07-09 14:09

Summary

Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3)

Description of the patch: This update for the Linux Kernel 5.3.18-150300_59_161 fixes several issues. The following security issues were fixed: - CVE-2021-47383: Fixed out-of-bound vmalloc access in imageblit (bsc#1225211). - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683). - CVE-2024-26828: Fixed underflow in parse_server_interfaces() (bsc#1223363). - CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210619).

Patchnames: SUSE-2024-2369,SUSE-SLE-Module-Live-Patching-15-SP3-2024-2369

CVE-2021-47383

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2023-1829

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-26828

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-26923

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64	—	Vendor Fix

Threats

Impact important

References

28 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1210619	self
https://bugzilla.suse.com/1223363	self
https://bugzilla.suse.com/1223683	self
https://bugzilla.suse.com/1225211	self
https://www.suse.com/security/cve/CVE-2021-47383/	self
https://www.suse.com/security/cve/CVE-2023-1829/	self
https://www.suse.com/security/cve/CVE-2024-26828/	self
https://www.suse.com/security/cve/CVE-2024-26923/	self
https://www.suse.com/security/cve/CVE-2021-47383	external
https://bugzilla.suse.com/1225208	external
https://bugzilla.suse.com/1225211	external
https://www.suse.com/security/cve/CVE-2023-1829	external
https://bugzilla.suse.com/1210335	external
https://bugzilla.suse.com/1210619	external
https://bugzilla.suse.com/1217444	external
https://bugzilla.suse.com/1217531	external
https://bugzilla.suse.com/1220886	external
https://bugzilla.suse.com/1228311	external
https://www.suse.com/security/cve/CVE-2024-26828	external
https://bugzilla.suse.com/1223084	external
https://bugzilla.suse.com/1223363	external
https://www.suse.com/security/cve/CVE-2024-26923	external
https://bugzilla.suse.com/1223384	external
https://bugzilla.suse.com/1223683	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for the Linux Kernel 5.3.18-150300_59_161 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2021-47383: Fixed out-of-bound vmalloc access in imageblit (bsc#1225211).\n- CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223683).\n- CVE-2024-26828: Fixed underflow in parse_server_interfaces() (bsc#1223363).\n- CVE-2023-1829: Fixed a use-after-free vulnerability in the control index filter (tcindex) (bsc#1210619).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-2369,SUSE-SLE-Module-Live-Patching-15-SP3-2024-2369",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2369-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:2369-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242369-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:2369-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018896.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1210619",
        "url": "https://bugzilla.suse.com/1210619"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1223363",
        "url": "https://bugzilla.suse.com/1223363"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1223683",
        "url": "https://bugzilla.suse.com/1223683"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1225211",
        "url": "https://bugzilla.suse.com/1225211"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-47383 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-47383/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-1829 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-1829/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26828 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26828/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26923 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26923/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP3)",
    "tracking": {
      "current_release_date": "2024-07-09T14:09:56Z",
      "generator": {
        "date": "2024-07-09T14:09:56Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:2369-1",
      "initial_release_date": "2024-07-09T14:09:56Z",
      "revision_history": [
        {
          "date": "2024-07-09T14:09:56Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_3_18-150300_59_161-preempt-3-150300.7.6.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_3_18-150300_59_161-preempt-3-150300.7.6.1.x86_64",
                  "product_id": "kernel-livepatch-5_3_18-150300_59_161-preempt-3-150300.7.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP3",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP3",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP3",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x"
        },
        "product_reference": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP3",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
        },
        "product_reference": "kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-47383",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-47383"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix out-of-bound vmalloc access in imageblit\n\nThis issue happens when a userspace program does an ioctl\nFBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct\ncontaining only the fields xres, yres, and bits_per_pixel\nwith values.\n\nIf this struct is the same as the previous ioctl, the\nvc_resize() detects it and doesn\u0027t call the resize_screen(),\nleaving the fb_var_screeninfo incomplete. And this leads to\nthe updatescrollmode() calculates a wrong value to\nfbcon_display-\u003evrows, which makes the real_y() return a\nwrong value of y, and that value, eventually, causes\nthe imageblit to access an out-of-bound address value.\n\nTo solve this issue I made the resize_screen() be called\neven if the screen does not need any resizing, so it will\n\"fix and fill\" the fb_var_screeninfo independently.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-47383",
          "url": "https://www.suse.com/security/cve/CVE-2021-47383"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225208 for CVE-2021-47383",
          "url": "https://bugzilla.suse.com/1225208"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225211 for CVE-2021-47383",
          "url": "https://bugzilla.suse.com/1225211"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-09T14:09:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-47383"
    },
    {
      "cve": "CVE-2023-1829",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-1829"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.  The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.  A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-1829",
          "url": "https://www.suse.com/security/cve/CVE-2023-1829"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1210335 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1210335"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1210619 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1210619"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1217444 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1217444"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1217531 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1217531"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220886 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1220886"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1228311 for CVE-2023-1829",
          "url": "https://bugzilla.suse.com/1228311"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-09T14:09:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-1829"
    },
    {
      "cve": "CVE-2024-26828",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26828"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26828",
          "url": "https://www.suse.com/security/cve/CVE-2024-26828"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223084 for CVE-2024-26828",
          "url": "https://bugzilla.suse.com/1223084"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223363 for CVE-2024-26828",
          "url": "https://bugzilla.suse.com/1223363"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-09T14:09:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26828"
    },
    {
      "cve": "CVE-2024-26923",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26923"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0027s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26923",
          "url": "https://www.suse.com/security/cve/CVE-2024-26923"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223384 for CVE-2024-26923",
          "url": "https://bugzilla.suse.com/1223384"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1223683 for CVE-2024-26923",
          "url": "https://bugzilla.suse.com/1223683"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_161-default-3-150300.7.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-09T14:09:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26923"
    }
  ]
}

CVE-2021-47383 (GCVE-0-2021-47383)

Vulnerability from cvelistv5 – Published: 2024-05-21 15:03 – Updated: 2026-05-11 13:53

Title

tty: Fix out-of-bound vmalloc access in imageblit

Summary

In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/7e71fcedfda6f7de1…
https://git.kernel.org/stable/c/70aed03b1d5a5df97…
https://git.kernel.org/stable/c/067c694d06040db6f…
https://git.kernel.org/stable/c/8a6a240f52e143563…
https://git.kernel.org/stable/c/883f7897a25e3ce14…
https://git.kernel.org/stable/c/d570c48dd37dbe8fc…
https://git.kernel.org/stable/c/699d926585daa6ec4…
https://git.kernel.org/stable/c/3b0c406124719b625…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7e71fcedfda6f7de18f850a6b36e78d78b04476f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 70aed03b1d5a5df974f456cdc8eedb213c94bb8b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 067c694d06040db6f0c65281bb358452ca6d85b9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a6a240f52e14356386030d8958ae8b1761d2325 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 883f7897a25e3ce14a7f274ca4c73f49ac84002a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d570c48dd37dbe8fc6875d4461d01a9554ae2560 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 699d926585daa6ec44be556cdc1ab89e5d54557b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b0c406124719b625b1aba431659f5cdc24a982c (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 4.4.286 , ≤ 4.4.* (semver) Unaffected: 4.9.285 , ≤ 4.9.* (semver) Unaffected: 4.14.249 , ≤ 4.14.* (semver) Unaffected: 4.19.209 , ≤ 4.19.* (semver) Unaffected: 5.4.151 , ≤ 5.4.* (semver) Unaffected: 5.10.71 , ≤ 5.10.* (semver) Unaffected: 5.14.10 , ≤ 5.14.* (semver) Unaffected: 5.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:37:20.634635Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:38:08.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.468Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7e71fcedfda6f7de18f850a6b36e78d78b04476f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70aed03b1d5a5df974f456cdc8eedb213c94bb8b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/067c694d06040db6f0c65281bb358452ca6d85b9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8a6a240f52e14356386030d8958ae8b1761d2325"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/883f7897a25e3ce14a7f274ca4c73f49ac84002a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d570c48dd37dbe8fc6875d4461d01a9554ae2560"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/699d926585daa6ec44be556cdc1ab89e5d54557b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3b0c406124719b625b1aba431659f5cdc24a982c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/vt/vt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e71fcedfda6f7de18f850a6b36e78d78b04476f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "70aed03b1d5a5df974f456cdc8eedb213c94bb8b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "067c694d06040db6f0c65281bb358452ca6d85b9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8a6a240f52e14356386030d8958ae8b1761d2325",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "883f7897a25e3ce14a7f274ca4c73f49ac84002a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d570c48dd37dbe8fc6875d4461d01a9554ae2560",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "699d926585daa6ec44be556cdc1ab89e5d54557b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3b0c406124719b625b1aba431659f5cdc24a982c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/vt/vt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.4.*",
              "status": "unaffected",
              "version": "4.4.286",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.71",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.4.286",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.285",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.249",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.209",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.151",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.71",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14.10",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: Fix out-of-bound vmalloc access in imageblit\n\nThis issue happens when a userspace program does an ioctl\nFBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct\ncontaining only the fields xres, yres, and bits_per_pixel\nwith values.\n\nIf this struct is the same as the previous ioctl, the\nvc_resize() detects it and doesn\u0027t call the resize_screen(),\nleaving the fb_var_screeninfo incomplete. And this leads to\nthe updatescrollmode() calculates a wrong value to\nfbcon_display-\u003evrows, which makes the real_y() return a\nwrong value of y, and that value, eventually, causes\nthe imageblit to access an out-of-bound address value.\n\nTo solve this issue I made the resize_screen() be called\neven if the screen does not need any resizing, so it will\n\"fix and fill\" the fb_var_screeninfo independently."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:53:37.872Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e71fcedfda6f7de18f850a6b36e78d78b04476f"
        },
        {
          "url": "https://git.kernel.org/stable/c/70aed03b1d5a5df974f456cdc8eedb213c94bb8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/067c694d06040db6f0c65281bb358452ca6d85b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a6a240f52e14356386030d8958ae8b1761d2325"
        },
        {
          "url": "https://git.kernel.org/stable/c/883f7897a25e3ce14a7f274ca4c73f49ac84002a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d570c48dd37dbe8fc6875d4461d01a9554ae2560"
        },
        {
          "url": "https://git.kernel.org/stable/c/699d926585daa6ec44be556cdc1ab89e5d54557b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b0c406124719b625b1aba431659f5cdc24a982c"
        }
      ],
      "title": "tty: Fix out-of-bound vmalloc access in imageblit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47383",
    "datePublished": "2024-05-21T15:03:44.286Z",
    "dateReserved": "2024-05-21T14:58:30.812Z",
    "dateUpdated": "2026-05-11T13:53:37.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-1829 (GCVE-0-2023-1829)

Vulnerability from cvelistv5 – Published: 2023-04-12 11:16 – Updated: 2025-02-13 16:39

Title

Use-after-free in tcindex (traffic control index filter) in the Linux Kernel

Summary

A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-416 - Use After Free

Assigner

Google

References

5 references

URL	Tags
https://git.kernel.org/pub/scm/linux/kernel/git/t…
https://kernel.dance/#8c710f75256bb3cf05ac7b1672c…
https://lists.debian.org/debian-lts-announce/2023…
https://lists.debian.org/debian-lts-announce/2023…
https://security.netapp.com/advisory/ntap-2023060…

Impacted products

1 product

Vendor	Product	Version
Linux	Linux Kernel	Affected: 3.8 , ≤ 6.2 (custom)

Date Public

2023-02-16 08:27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:05:26.153Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kernel.dance/#8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230601-0001/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1829",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T15:50:09.128361Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-07T15:50:15.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "kernel",
          "product": "Linux Kernel",
          "repo": "https://git.kernel.org",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.2",
              "status": "affected",
              "version": "3.8",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-02-16T08:27:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecan be exploited to achieve local privilege escalation\u003c/span\u003e.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eA local attacker user can use this vulnerability to elevate its privileges to root.\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWe recommend upgrading past commit \u003c/span\u003e \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c710f75256bb3cf05ac7b1672c82b92c43f3d28\"\u003e8c710f75256bb3cf05ac7b1672c82b92c43f3d28\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation.\u00a0The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure.\u00a0A local attacker user can use this vulnerability to elevate its privileges to root.\nWe recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-01T13:06:20.579Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
        },
        {
          "url": "https://kernel.dance/#8c710f75256bb3cf05ac7b1672c82b92c43f3d28"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230601-0001/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Use-after-free in tcindex (traffic control index filter) in the Linux Kernel",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2023-1829",
    "datePublished": "2023-04-12T11:16:59.101Z",
    "dateReserved": "2023-04-04T10:32:43.055Z",
    "dateUpdated": "2025-02-13T16:39:39.975Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26828 (GCVE-0-2024-26828)

Vulnerability from cvelistv5 – Published: 2024-04-17 09:43 – Updated: 2026-05-11 20:04

Title

cifs: fix underflow in parse_server_interfaces()

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.

Severity

6.7 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/7190353835b4a219a…
https://git.kernel.org/stable/c/f7ff1c89fb6e9610d…
https://git.kernel.org/stable/c/df2af9fdbc4ddde18…
https://git.kernel.org/stable/c/cffe487026be13eaf…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < 7190353835b4a219abb70f90b06cdcae97f11512 (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < f7ff1c89fb6e9610d2b01c1821727729e6609308 (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < df2af9fdbc4ddde18a3371c4ca1a86596e8be301 (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < cffe487026be13eaf37ea28b783d9638ab147204 (git)
Linux	Linux	Affected: 4.18 Unaffected: 0 , < 4.18 (semver) Unaffected: 6.1.79 , ≤ 6.1.* (semver) Unaffected: 6.6.18 , ≤ 6.6.* (semver) Unaffected: 6.7.6 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "ADJACENT_NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26828",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T17:36:16.490979Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T18:28:47.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.603Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7190353835b4a219abb70f90b06cdcae97f11512",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            },
            {
              "lessThan": "f7ff1c89fb6e9610d2b01c1821727729e6609308",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            },
            {
              "lessThan": "df2af9fdbc4ddde18a3371c4ca1a86596e8be301",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            },
            {
              "lessThan": "cffe487026be13eaf37ea28b783d9638ab147204",
              "status": "affected",
              "version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.79",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.18",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.6",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need.  However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t.  That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:04:54.580Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308"
        },
        {
          "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301"
        },
        {
          "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204"
        }
      ],
      "title": "cifs: fix underflow in parse_server_interfaces()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26828",
    "datePublished": "2024-04-17T09:43:52.995Z",
    "dateReserved": "2024-02-19T14:20:24.181Z",
    "dateUpdated": "2026-05-11T20:04:54.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-26923 (GCVE-0-2024-26923)

Vulnerability from cvelistv5 – Published: 2024-04-24 21:49 – Updated: 2026-05-12 11:50

Title

af_unix: Fix garbage collector racing against connect()

Summary

In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected.

Severity

No CVSS data available.

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

Assigner

Linux

References

13 references

URL	Tags
https://git.kernel.org/stable/c/a36ae0ec2353015f0…
https://git.kernel.org/stable/c/343c5372d5e17b306…
https://git.kernel.org/stable/c/2e2a03787f4f0abc0…
https://git.kernel.org/stable/c/e76c2678228f6aec7…
https://git.kernel.org/stable/c/b75722be422c276b6…
https://git.kernel.org/stable/c/507cc232ffe53a352…
https://git.kernel.org/stable/c/dbdf7bec5c9202000…
https://git.kernel.org/stable/c/47d8ac011fe1c9251…
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://lists.debian.org/debian-lts-announce/2024…	x_transferred
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

9 products

Vendor	Product	Version
Linux	Linux	Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < a36ae0ec2353015f0f6762e59f4c2dbc0c906423 (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 343c5372d5e17b306db5f8f3c895539b06e3177f (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 2e2a03787f4f0abc0072350654ab0ef3324d9db3 (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < e76c2678228f6aec74b305ae30c9374cc2f28a51 (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < b75722be422c276b699200de90527d01c602ea7c (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 507cc232ffe53a352847893f8177d276c3b532a9 (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < dbdf7bec5c920200077d693193f989cb1513f009 (git) Affected: 1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9 , < 47d8ac011fe1c9251070e1bd64cb10b48193ec51 (git)
Linux	Linux	Affected: 2.6.23 Unaffected: 0 , < 2.6.23 (semver) Unaffected: 4.19.314 , ≤ 4.19.* (semver) Unaffected: 5.4.275 , ≤ 5.4.* (semver) Unaffected: 5.10.216 , ≤ 5.10.* (semver) Unaffected: 5.15.156 , ≤ 5.15.* (semver) Unaffected: 6.1.87 , ≤ 6.1.* (semver) Unaffected: 6.6.28 , ≤ 6.6.* (semver) Unaffected: 6.8.7 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Siemens	RUGGEDCOM RST2428P	Affected: 0 , < V3.1 (custom)
Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family	Unaffected: 0 , < * (custom)
Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 family	Affected: 0 , < V3.1 (custom)
Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux subsystem	Affected: 0 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.0 , < V3.1.5 (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.0 , < V3.1.5 (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.0 , < V3.1.5 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-02T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T19:34:43.753Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.612Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM RST2428P",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.1.5",
                "status": "affected",
                "version": "V3.1.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:50:40.454Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a36ae0ec2353015f0f6762e59f4c2dbc0c906423",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "343c5372d5e17b306db5f8f3c895539b06e3177f",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "2e2a03787f4f0abc0072350654ab0ef3324d9db3",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "e76c2678228f6aec74b305ae30c9374cc2f28a51",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "b75722be422c276b699200de90527d01c602ea7c",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "507cc232ffe53a352847893f8177d276c3b532a9",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "dbdf7bec5c920200077d693193f989cb1513f009",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            },
            {
              "lessThan": "47d8ac011fe1c9251070e1bd64cb10b48193ec51",
              "status": "affected",
              "version": "1fd05ba5a2f2aa8e7b9b52ef55df850e2e7d54c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.23"
            },
            {
              "lessThan": "2.6.23",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.314",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.275",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.216",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.314",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.275",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.216",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.156",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.87",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.28",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.7",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0027s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:06:59.719Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423"
        },
        {
          "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009"
        },
        {
          "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51"
        }
      ],
      "title": "af_unix: Fix garbage collector racing against connect()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26923",
    "datePublished": "2024-04-24T21:49:22.001Z",
    "dateReserved": "2024-02-19T14:20:24.194Z",
    "dateUpdated": "2026-05-12T11:50:40.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2024:2369-1

CVE-2021-47383 (GCVE-0-2021-47383)

CVE-2023-1829 (GCVE-0-2023-1829)

CVE-2024-26828 (GCVE-0-2024-26828)

CVE-2024-26923 (GCVE-0-2024-26923)

Tags

Sightings

Nomenclature