Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0749
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Elles permettent à un attaquant de provoquer un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-35875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35875"
},
{
"name": "CVE-2022-48799",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48799"
},
{
"name": "CVE-2024-35839",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35839"
},
{
"name": "CVE-2024-26946",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26946"
},
{
"name": "CVE-2024-39502",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39502"
},
{
"name": "CVE-2024-40983",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40983"
},
{
"name": "CVE-2024-42131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42131"
},
{
"name": "CVE-2024-41090",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41090"
},
{
"name": "CVE-2024-40995",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40995"
},
{
"name": "CVE-2024-38570",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38570"
},
{
"name": "CVE-2024-40956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40956"
},
{
"name": "CVE-2024-35895",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35895"
},
{
"name": "CVE-2024-42102",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42102"
},
{
"name": "CVE-2024-38540",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38540"
},
{
"name": "CVE-2024-40978",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40978"
},
{
"name": "CVE-2024-41091",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41091"
},
{
"name": "CVE-2024-41044",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41044"
},
{
"name": "CVE-2024-40914",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40914"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0749",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-09-06T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2024-09-03",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:6156",
"url": "https://access.redhat.com/errata/RHSA-2024:6156"
},
{
"published_at": "2024-09-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:6267",
"url": "https://access.redhat.com/errata/RHSA-2024:6267"
},
{
"published_at": "2024-09-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:6268",
"url": "https://access.redhat.com/errata/RHSA-2024:6268"
}
]
}
CVE-2022-48799 (GCVE-0-2022-48799)
Vulnerability from cvelistv5 – Published: 2024-07-16 11:43 – Updated: 2026-05-11 18:47
VLAI
EPSS
Title
perf: Fix list corruption in perf_cgroup_switch()
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix list corruption in perf_cgroup_switch()
There's list corruption on cgrp_cpuctx_list. This happens on the
following path:
perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list)
cpu_ctx_sched_in
ctx_sched_in
ctx_pinned_sched_in
merge_sched_in
perf_cgroup_event_disable: remove the event from the list
Use list_for_each_entry_safe() to allow removing an entry during
iteration.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < 5d76ed4223403f90421782adb2f20a9ecbc93186
(git)
Affected: 058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < 30d9f3cbe47e1018ddc8069ac5b5c9e66fbdf727 (git) Affected: 058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < a2ed7b29d0673ba361546e2d87dbbed149456c45 (git) Affected: 058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < f6b5d51976fcefef5732da3e3feb3ccff680f7c8 (git) Affected: 058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < 7969fe91c9830e045901970e9d755b7505881d4a (git) Affected: 058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < 2142bc1469a316fddd10012d76428f7265258f81 (git) Affected: 058fe1c0440e68a1ba3c2270ae43e9f0298b27d8 , < 5f4e5ce638e6a490b976ade4a40017b40abb2da0 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 4.14.267 , ≤ 4.14.* (semver) Unaffected: 4.19.230 , ≤ 4.19.* (semver) Unaffected: 5.4.180 , ≤ 5.4.* (semver) Unaffected: 5.10.101 , ≤ 5.10.* (semver) Unaffected: 5.15.24 , ≤ 5.15.* (semver) Unaffected: 5.16.10 , ≤ 5.16.* (semver) Unaffected: 5.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:25:01.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5d76ed4223403f90421782adb2f20a9ecbc93186"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/30d9f3cbe47e1018ddc8069ac5b5c9e66fbdf727"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a2ed7b29d0673ba361546e2d87dbbed149456c45"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f6b5d51976fcefef5732da3e3feb3ccff680f7c8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7969fe91c9830e045901970e9d755b7505881d4a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2142bc1469a316fddd10012d76428f7265258f81"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5f4e5ce638e6a490b976ade4a40017b40abb2da0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:59:09.842596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:14.602Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d76ed4223403f90421782adb2f20a9ecbc93186",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
},
{
"lessThan": "30d9f3cbe47e1018ddc8069ac5b5c9e66fbdf727",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
},
{
"lessThan": "a2ed7b29d0673ba361546e2d87dbbed149456c45",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
},
{
"lessThan": "f6b5d51976fcefef5732da3e3feb3ccff680f7c8",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
},
{
"lessThan": "7969fe91c9830e045901970e9d755b7505881d4a",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
},
{
"lessThan": "2142bc1469a316fddd10012d76428f7265258f81",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
},
{
"lessThan": "5f4e5ce638e6a490b976ade4a40017b40abb2da0",
"status": "affected",
"version": "058fe1c0440e68a1ba3c2270ae43e9f0298b27d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.267",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.267",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.230",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.180",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.101",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.24",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.10",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix list corruption in perf_cgroup_switch()\n\nThere\u0027s list corruption on cgrp_cpuctx_list. This happens on the\nfollowing path:\n\n perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list)\n cpu_ctx_sched_in\n ctx_sched_in\n ctx_pinned_sched_in\n merge_sched_in\n perf_cgroup_event_disable: remove the event from the list\n\nUse list_for_each_entry_safe() to allow removing an entry during\niteration."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:47:21.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d76ed4223403f90421782adb2f20a9ecbc93186"
},
{
"url": "https://git.kernel.org/stable/c/30d9f3cbe47e1018ddc8069ac5b5c9e66fbdf727"
},
{
"url": "https://git.kernel.org/stable/c/a2ed7b29d0673ba361546e2d87dbbed149456c45"
},
{
"url": "https://git.kernel.org/stable/c/f6b5d51976fcefef5732da3e3feb3ccff680f7c8"
},
{
"url": "https://git.kernel.org/stable/c/7969fe91c9830e045901970e9d755b7505881d4a"
},
{
"url": "https://git.kernel.org/stable/c/2142bc1469a316fddd10012d76428f7265258f81"
},
{
"url": "https://git.kernel.org/stable/c/5f4e5ce638e6a490b976ade4a40017b40abb2da0"
}
],
"title": "perf: Fix list corruption in perf_cgroup_switch()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48799",
"datePublished": "2024-07-16T11:43:52.894Z",
"dateReserved": "2024-07-16T11:38:08.895Z",
"dateUpdated": "2026-05-11T18:47:21.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26946 (GCVE-0-2024-26946)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:18 – Updated: 2026-05-11 20:07
VLAI
EPSS
Title
kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address
Summary
In the Linux kernel, the following vulnerability has been resolved:
kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address
Read from an unsafe address with copy_from_kernel_nofault() in
arch_adjust_kprobe_addr() because this function is used before checking
the address is in text or not. Syzcaller bot found a bug and reported
the case if user specifies inaccessible data area,
arch_adjust_kprobe_addr() will cause a kernel panic.
[ mingo: Clarified the comment. ]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cc66bb91457827f62e2b6cb2518666820f0a6c48 , < 6417684315087904fffe8966d27ca74398c57dd6
(git)
Affected: cc66bb91457827f62e2b6cb2518666820f0a6c48 , < f13edd1871d4fb4ab829aff629d47914e251bae3 (git) Affected: cc66bb91457827f62e2b6cb2518666820f0a6c48 , < 20fdb21eabaeb8f78f8f701f56d14ea0836ec861 (git) Affected: cc66bb91457827f62e2b6cb2518666820f0a6c48 , < b69f577308f1070004cafac106dd1a44099e5483 (git) Affected: cc66bb91457827f62e2b6cb2518666820f0a6c48 , < 4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.84 , ≤ 6.1.* (semver) Unaffected: 6.6.24 , ≤ 6.6.* (semver) Unaffected: 6.7.12 , ≤ 6.7.* (semver) Unaffected: 6.8.3 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T18:35:25.300440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:47.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6417684315087904fffe8966d27ca74398c57dd6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f13edd1871d4fb4ab829aff629d47914e251bae3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/20fdb21eabaeb8f78f8f701f56d14ea0836ec861"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b69f577308f1070004cafac106dd1a44099e5483"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/kprobes/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6417684315087904fffe8966d27ca74398c57dd6",
"status": "affected",
"version": "cc66bb91457827f62e2b6cb2518666820f0a6c48",
"versionType": "git"
},
{
"lessThan": "f13edd1871d4fb4ab829aff629d47914e251bae3",
"status": "affected",
"version": "cc66bb91457827f62e2b6cb2518666820f0a6c48",
"versionType": "git"
},
{
"lessThan": "20fdb21eabaeb8f78f8f701f56d14ea0836ec861",
"status": "affected",
"version": "cc66bb91457827f62e2b6cb2518666820f0a6c48",
"versionType": "git"
},
{
"lessThan": "b69f577308f1070004cafac106dd1a44099e5483",
"status": "affected",
"version": "cc66bb91457827f62e2b6cb2518666820f0a6c48",
"versionType": "git"
},
{
"lessThan": "4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b",
"status": "affected",
"version": "cc66bb91457827f62e2b6cb2518666820f0a6c48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/kprobes/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.84",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.24",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address\n\nRead from an unsafe address with copy_from_kernel_nofault() in\narch_adjust_kprobe_addr() because this function is used before checking\nthe address is in text or not. Syzcaller bot found a bug and reported\nthe case if user specifies inaccessible data area,\narch_adjust_kprobe_addr() will cause a kernel panic.\n\n[ mingo: Clarified the comment. ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:07:26.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6417684315087904fffe8966d27ca74398c57dd6"
},
{
"url": "https://git.kernel.org/stable/c/f13edd1871d4fb4ab829aff629d47914e251bae3"
},
{
"url": "https://git.kernel.org/stable/c/20fdb21eabaeb8f78f8f701f56d14ea0836ec861"
},
{
"url": "https://git.kernel.org/stable/c/b69f577308f1070004cafac106dd1a44099e5483"
},
{
"url": "https://git.kernel.org/stable/c/4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b"
}
],
"title": "kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26946",
"datePublished": "2024-05-01T05:18:13.192Z",
"dateReserved": "2024-02-19T14:20:24.197Z",
"dateUpdated": "2026-05-11T20:07:26.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35839 (GCVE-0-2024-35839)
Vulnerability from cvelistv5 – Published: 2024-05-17 14:27 – Updated: 2026-05-11 20:12
VLAI
EPSS
Title
netfilter: bridge: replace physindev with physinif in nf_bridge_info
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bridge: replace physindev with physinif in nf_bridge_info
An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.
As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:
arp_process
neigh_update
skb = __skb_dequeue(&neigh->arp_queue)
neigh_resolve_output(..., skb)
...
br_nf_dev_xmit
br_nf_pre_routing_finish_bridge_slow
skb->dev = nf_bridge->physindev
br_handle_frame_finish
Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b
(git)
Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 9325e3188a9cf3f69fc6f32af59844bbc5b90547 (git) Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 544add1f1cfb78c3dfa3e6edcf4668f6be5e730c (git) Affected: c4e70a87d975d1f561a00abfe2d3cefa2a486c95 , < 9874808878d9eed407e3977fd11fee49de1e1d86 (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 6.1.75 , ≤ 6.1.* (semver) Unaffected: 6.6.14 , ≤ 6.6.* (semver) Unaffected: 6.7.2 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T19:26:55.890240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:33:44.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/netfilter_bridge.h",
"include/linux/skbuff.h",
"net/bridge/br_netfilter_hooks.c",
"net/bridge/br_netfilter_ipv6.c",
"net/ipv4/netfilter/nf_reject_ipv4.c",
"net/ipv6/netfilter/nf_reject_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b",
"status": "affected",
"version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
"versionType": "git"
},
{
"lessThan": "9325e3188a9cf3f69fc6f32af59844bbc5b90547",
"status": "affected",
"version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
"versionType": "git"
},
{
"lessThan": "544add1f1cfb78c3dfa3e6edcf4668f6be5e730c",
"status": "affected",
"version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
"versionType": "git"
},
{
"lessThan": "9874808878d9eed407e3977fd11fee49de1e1d86",
"status": "affected",
"version": "c4e70a87d975d1f561a00abfe2d3cefa2a486c95",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/netfilter_bridge.h",
"include/linux/skbuff.h",
"net/bridge/br_netfilter_hooks.c",
"net/bridge/br_netfilter_ipv6.c",
"net/ipv4/netfilter/nf_reject_ipv4.c",
"net/ipv6/netfilter/nf_reject_ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.75",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.14",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: replace physindev with physinif in nf_bridge_info\n\nAn skb can be added to a neigh-\u003earp_queue while waiting for an arp\nreply. Where original skb\u0027s skb-\u003edev can be different to neigh\u0027s\nneigh-\u003edev. For instance in case of bridging dnated skb from one veth to\nanother, the skb would be added to a neigh-\u003earp_queue of the bridge.\n\nAs skb-\u003edev can be reset back to nf_bridge-\u003ephysindev and used, and as\nthere is no explicit mechanism that prevents this physindev from been\nfreed under us (for instance neigh_flush_dev doesn\u0027t cleanup skbs from\ndifferent device\u0027s neigh queue) we can crash on e.g. this stack:\n\narp_process\n neigh_update\n skb = __skb_dequeue(\u0026neigh-\u003earp_queue)\n neigh_resolve_output(..., skb)\n ...\n br_nf_dev_xmit\n br_nf_pre_routing_finish_bridge_slow\n skb-\u003edev = nf_bridge-\u003ephysindev\n br_handle_frame_finish\n\nLet\u0027s use plain ifindex instead of net_device link. To peek into the\noriginal net_device we will use dev_get_by_index_rcu(). Thus either we\nget device and are safe to use it or we don\u0027t get it and drop skb."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:12:08.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b"
},
{
"url": "https://git.kernel.org/stable/c/9325e3188a9cf3f69fc6f32af59844bbc5b90547"
},
{
"url": "https://git.kernel.org/stable/c/544add1f1cfb78c3dfa3e6edcf4668f6be5e730c"
},
{
"url": "https://git.kernel.org/stable/c/9874808878d9eed407e3977fd11fee49de1e1d86"
}
],
"title": "netfilter: bridge: replace physindev with physinif in nf_bridge_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35839",
"datePublished": "2024-05-17T14:27:30.524Z",
"dateReserved": "2024-05-17T13:50:33.104Z",
"dateUpdated": "2026-05-11T20:12:08.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35875 (GCVE-0-2024-35875)
Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-05-11 20:12
VLAI
EPSS
Title
x86/coco: Require seeding RNG with RDRAND on CoCo systems
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/coco: Require seeding RNG with RDRAND on CoCo systems
There are few uses of CoCo that don't rely on working cryptography and
hence a working RNG. Unfortunately, the CoCo threat model means that the
VM host cannot be trusted and may actively work against guests to
extract secrets or manipulate computation. Since a malicious host can
modify or observe nearly all inputs to guests, the only remaining source
of entropy for CoCo guests is RDRAND.
If RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole
is meant to gracefully continue on gathering entropy from other sources,
but since there aren't other sources on CoCo, this is catastrophic.
This is mostly a concern at boot time when initially seeding the RNG, as
after that the consequences of a broken RDRAND are much more
theoretical.
So, try at boot to seed the RNG using 256 bits of RDRAND output. If this
fails, panic(). This will also trigger if the system is booted without
RDRAND, as RDRAND is essential for a safe CoCo boot.
Add this deliberately to be "just a CoCo x86 driver feature" and not
part of the RNG itself. Many device drivers and platforms have some
desire to contribute something to the RNG, and add_device_randomness()
is specifically meant for this purpose.
Any driver can call it with seed data of any quality, or even garbage
quality, and it can only possibly make the quality of the RNG better or
have no effect, but can never make it worse.
Rather than trying to build something into the core of the RNG, consider
the particular CoCo issue just a CoCo issue, and therefore separate it
all out into driver (well, arch/platform) code.
[ bp: Massage commit message. ]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d8aa7eea78a1401cce39b3bb61ead0150044a3df , < 22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374
(git)
Affected: d8aa7eea78a1401cce39b3bb61ead0150044a3df , < 453b5f2dec276c1bb4ea078bf8c0da57ee4627e5 (git) Affected: d8aa7eea78a1401cce39b3bb61ead0150044a3df , < 08044b08b37528b82f70a87576c692b4e4b7716e (git) Affected: d8aa7eea78a1401cce39b3bb61ead0150044a3df , < 99485c4c026f024e7cb82da84c7951dbe3deb584 (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 6.1.85 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:38:48.795160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:41:42.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:49.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/coco/core.c",
"arch/x86/include/asm/coco.h",
"arch/x86/kernel/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374",
"status": "affected",
"version": "d8aa7eea78a1401cce39b3bb61ead0150044a3df",
"versionType": "git"
},
{
"lessThan": "453b5f2dec276c1bb4ea078bf8c0da57ee4627e5",
"status": "affected",
"version": "d8aa7eea78a1401cce39b3bb61ead0150044a3df",
"versionType": "git"
},
{
"lessThan": "08044b08b37528b82f70a87576c692b4e4b7716e",
"status": "affected",
"version": "d8aa7eea78a1401cce39b3bb61ead0150044a3df",
"versionType": "git"
},
{
"lessThan": "99485c4c026f024e7cb82da84c7951dbe3deb584",
"status": "affected",
"version": "d8aa7eea78a1401cce39b3bb61ead0150044a3df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/coco/core.c",
"arch/x86/include/asm/coco.h",
"arch/x86/kernel/setup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don\u0027t rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren\u0027t other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:12:57.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374"
},
{
"url": "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5"
},
{
"url": "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e"
},
{
"url": "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584"
}
],
"title": "x86/coco: Require seeding RNG with RDRAND on CoCo systems",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35875",
"datePublished": "2024-05-19T08:34:32.767Z",
"dateReserved": "2024-05-17T13:50:33.110Z",
"dateUpdated": "2026-05-11T20:12:57.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35895 (GCVE-0-2024-35895)
Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-05-12 11:52
VLAI
EPSS
Title
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Prevent lock inversion deadlock in map delete elem
syzkaller started using corpuses where a BPF tracing program deletes
elements from a sockmap/sockhash map. Because BPF tracing programs can be
invoked from any interrupt context, locks taken during a map_delete_elem
operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
is possible, as reported by lockdep:
CPU0 CPU1
---- ----
lock(&htab->buckets[i].lock);
local_irq_disable();
lock(&host->lock);
lock(&htab->buckets[i].lock);
<Interrupt>
lock(&host->lock);
Locks in sockmap are hardirq-unsafe by design. We expects elements to be
deleted from sockmap/sockhash only in task (normal) context with interrupts
enabled, or in softirq context.
Detect when map_delete_elem operation is invoked from a context which is
_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
error.
Note that map updates are not affected by this issue. BPF verifier does not
allow updating sockmap/sockhash from a BPF tracing program today.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
604326b41a6fb9b4a78b6179335decee0365cd8c , < f7990498b05ac41f7d6a190dc0418ef1d21bf058
(git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < dd54b48db0c822ae7b520bc80751f0a0a173ef75 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < a44770fed86515eedb5a7c00b787f847ebb134a5 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 668b3074aa14829e2ac2759799537a93b60fef86 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 6af057ccdd8e7619960aca1f0428339f213b31cd (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < ff91059932401894e6c86341915615c5eb0eca48 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.4.274 , ≤ 5.4.* (semver) Unaffected: 5.10.215 , ≤ 5.10.* (semver) Unaffected: 5.15.154 , ≤ 5.15.* (semver) Unaffected: 6.1.85 , ≤ 6.1.* (semver) Unaffected: 6.6.26 , ≤ 6.6.* (semver) Unaffected: 6.8.5 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T19:25:39.256006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:48.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:48.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:52:30.641Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7990498b05ac41f7d6a190dc0418ef1d21bf058",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "dd54b48db0c822ae7b520bc80751f0a0a173ef75",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "a44770fed86515eedb5a7c00b787f847ebb134a5",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "668b3074aa14829e2ac2759799537a93b60fef86",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "6af057ccdd8e7619960aca1f0428339f213b31cd",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "ff91059932401894e6c86341915615c5eb0eca48",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.215",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.215",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.154",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.85",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.26",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.5",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(\u0026htab-\u003ebuckets[i].lock);\n local_irq_disable();\n lock(\u0026host-\u003elock);\n lock(\u0026htab-\u003ebuckets[i].lock);\n \u003cInterrupt\u003e\n lock(\u0026host-\u003elock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:13:19.610Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058"
},
{
"url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75"
},
{
"url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec"
},
{
"url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5"
},
{
"url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86"
},
{
"url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd"
},
{
"url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48"
}
],
"title": "bpf, sockmap: Prevent lock inversion deadlock in map delete elem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-35895",
"datePublished": "2024-05-19T08:34:50.276Z",
"dateReserved": "2024-05-17T13:50:33.113Z",
"dateUpdated": "2026-05-12T11:52:30.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-38540 (GCVE-0-2024-38540)
Vulnerability from cvelistv5 – Published: 2024-06-19 13:35 – Updated: 2026-05-11 20:18
VLAI
EPSS
Title
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
roundup_pow_of_two is documented as undefined for 0.
Fix it in the one caller that had this combination.
The undefined behavior was detected by UBSAN:
UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
ubsan_epilogue+0x5/0x30
__ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
__roundup_pow_of_two+0x25/0x35 [bnxt_re]
bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? __kmalloc+0x1b6/0x4f0
? create_qp.part.0+0x128/0x1c0 [ib_core]
? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
create_qp.part.0+0x128/0x1c0 [ib_core]
ib_create_qp_kernel+0x50/0xd0 [ib_core]
create_mad_qp+0x8e/0xe0 [ib_core]
? __pfx_qp_event_handler+0x10/0x10 [ib_core]
ib_mad_init_device+0x2be/0x680 [ib_core]
add_client_context+0x10d/0x1a0 [ib_core]
enable_device_and_get+0xe0/0x1d0 [ib_core]
ib_register_device+0x53c/0x630 [ib_core]
? srso_alias_return_thunk+0x5/0xfbef5
bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
auxiliary_bus_probe+0x49/0x80
? driver_sysfs_add+0x57/0xc0
really_probe+0xde/0x340
? pm_runtime_barrier+0x54/0x90
? __pfx___driver_attach+0x10/0x10
__driver_probe_device+0x78/0x110
driver_probe_device+0x1f/0xa0
__driver_attach+0xba/0x1c0
bus_for_each_dev+0x8f/0xe0
bus_add_driver+0x146/0x220
driver_register+0x72/0xd0
__auxiliary_driver_register+0x6e/0xd0
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
do_one_initcall+0x5b/0x310
do_init_module+0x90/0x250
init_module_from_file+0x86/0xc0
idempotent_init_module+0x121/0x2b0
__x64_sys_finit_module+0x5e/0xb0
do_syscall_64+0x82/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? syscall_exit_to_user_mode_prepare+0x149/0x170
? srso_alias_return_thunk+0x5/0xfbef5
? syscall_exit_to_user_mode+0x75/0x230
? srso_alias_return_thunk+0x5/0xfbef5
? do_syscall_64+0x8e/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? __count_memcg_events+0x69/0x100
? srso_alias_return_thunk+0x5/0xfbef5
? count_memcg_events.constprop.0+0x1a/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? handle_mm_fault+0x1f0/0x300
? srso_alias_return_thunk+0x5/0xfbef5
? do_user_addr_fault+0x34e/0x640
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f4e5132821d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
</TASK>
---[ end trace ]---
Severity
4.4 (Medium)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 66a9937187ac9b5c5ffff07b8b284483e56804d1
(git)
Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 84d2f29152184f0d72ed7c9648c4ee6927df4e59 (git) Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < a658f011d89dd20cf2c7cb4760ffd79201700b98 (git) Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 627493443f3a8458cb55cdae1da254a7001123bc (git) Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 8b799c00cea6fcfe5b501bbaeb228c8821acb753 (git) Affected: 0c4dcd602817502bb3dced7a834a13ef717d65a4 , < 78cfd17142ef70599d6409cbd709d94b3da58659 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.15.181 , ≤ 5.15.* (semver) Unaffected: 6.1.117 , ≤ 6.1.* (semver) Unaffected: 6.6.33 , ≤ 6.6.* (semver) Unaffected: 6.8.12 , ≤ 6.8.* (semver) Unaffected: 6.9.3 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38540",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T15:37:42.492444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T19:54:28.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:55:46.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/qplib_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66a9937187ac9b5c5ffff07b8b284483e56804d1",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "84d2f29152184f0d72ed7c9648c4ee6927df4e59",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "a658f011d89dd20cf2c7cb4760ffd79201700b98",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "627493443f3a8458cb55cdae1da254a7001123bc",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "8b799c00cea6fcfe5b501bbaeb228c8821acb753",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "78cfd17142ef70599d6409cbd709d94b3da58659",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/qplib_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.117",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.12",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq\n\nUndefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called\nwith hwq_attr-\u003eaux_depth != 0 and hwq_attr-\u003eaux_stride == 0.\nIn that case, \"roundup_pow_of_two(hwq_attr-\u003eaux_stride)\" gets called.\nroundup_pow_of_two is documented as undefined for 0.\n\nFix it in the one caller that had this combination.\n\nThe undefined behavior was detected by UBSAN:\n UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n shift exponent 64 is too large for 64-bit type \u0027long unsigned int\u0027\n CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4\n Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5d/0x80\n ubsan_epilogue+0x5/0x30\n __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec\n __roundup_pow_of_two+0x25/0x35 [bnxt_re]\n bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]\n bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]\n bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __kmalloc+0x1b6/0x4f0\n ? create_qp.part.0+0x128/0x1c0 [ib_core]\n ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]\n create_qp.part.0+0x128/0x1c0 [ib_core]\n ib_create_qp_kernel+0x50/0xd0 [ib_core]\n create_mad_qp+0x8e/0xe0 [ib_core]\n ? __pfx_qp_event_handler+0x10/0x10 [ib_core]\n ib_mad_init_device+0x2be/0x680 [ib_core]\n add_client_context+0x10d/0x1a0 [ib_core]\n enable_device_and_get+0xe0/0x1d0 [ib_core]\n ib_register_device+0x53c/0x630 [ib_core]\n ? srso_alias_return_thunk+0x5/0xfbef5\n bnxt_re_probe+0xbd8/0xe50 [bnxt_re]\n ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]\n auxiliary_bus_probe+0x49/0x80\n ? driver_sysfs_add+0x57/0xc0\n really_probe+0xde/0x340\n ? pm_runtime_barrier+0x54/0x90\n ? __pfx___driver_attach+0x10/0x10\n __driver_probe_device+0x78/0x110\n driver_probe_device+0x1f/0xa0\n __driver_attach+0xba/0x1c0\n bus_for_each_dev+0x8f/0xe0\n bus_add_driver+0x146/0x220\n driver_register+0x72/0xd0\n __auxiliary_driver_register+0x6e/0xd0\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]\n ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]\n do_one_initcall+0x5b/0x310\n do_init_module+0x90/0x250\n init_module_from_file+0x86/0xc0\n idempotent_init_module+0x121/0x2b0\n __x64_sys_finit_module+0x5e/0xb0\n do_syscall_64+0x82/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode_prepare+0x149/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? syscall_exit_to_user_mode+0x75/0x230\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_syscall_64+0x8e/0x160\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __count_memcg_events+0x69/0x100\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? count_memcg_events.constprop.0+0x1a/0x30\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? handle_mm_fault+0x1f0/0x300\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? do_user_addr_fault+0x34e/0x640\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f4e5132821d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d\n RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b\n RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0\n R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d\n R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60\n \u003c/TASK\u003e\n ---[ end trace ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:18:38.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66a9937187ac9b5c5ffff07b8b284483e56804d1"
},
{
"url": "https://git.kernel.org/stable/c/84d2f29152184f0d72ed7c9648c4ee6927df4e59"
},
{
"url": "https://git.kernel.org/stable/c/a658f011d89dd20cf2c7cb4760ffd79201700b98"
},
{
"url": "https://git.kernel.org/stable/c/627493443f3a8458cb55cdae1da254a7001123bc"
},
{
"url": "https://git.kernel.org/stable/c/8b799c00cea6fcfe5b501bbaeb228c8821acb753"
},
{
"url": "https://git.kernel.org/stable/c/78cfd17142ef70599d6409cbd709d94b3da58659"
}
],
"title": "bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38540",
"datePublished": "2024-06-19T13:35:15.823Z",
"dateReserved": "2024-06-18T19:36:34.918Z",
"dateUpdated": "2026-05-11T20:18:38.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-38570 (GCVE-0-2024-38570)
Vulnerability from cvelistv5 – Published: 2024-06-19 13:35 – Updated: 2026-05-11 20:19
VLAI
EPSS
Title
gfs2: Fix potential glock use-after-free on unmount
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix potential glock use-after-free on unmount
When a DLM lockspace is released and there ares still locks in that
lockspace, DLM will unlock those locks automatically. Commit
fb6791d100d1b started exploiting this behavior to speed up filesystem
unmount: gfs2 would simply free glocks it didn't want to unlock and then
release the lockspace. This didn't take the bast callbacks for
asynchronous lock contention notifications into account, which remain
active until until a lock is unlocked or its lockspace is released.
To prevent those callbacks from accessing deallocated objects, put the
glocks that should not be unlocked on the sd_dead_glocks list, release
the lockspace, and only then free those glocks.
As an additional measure, ignore unexpected ast and bast callbacks if
the receiving glock is dead.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fb6791d100d1bba20b5cdbc4912e1f7086ec60f8 , < 0636b34b44589b142700ac137b5f69802cfe2e37
(git)
Affected: fb6791d100d1bba20b5cdbc4912e1f7086ec60f8 , < e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0 (git) Affected: fb6791d100d1bba20b5cdbc4912e1f7086ec60f8 , < 501cd8fabf621d10bd4893e37f6ce6c20523c8ca (git) Affected: fb6791d100d1bba20b5cdbc4912e1f7086ec60f8 , < d98779e687726d8f8860f1c54b5687eec5f63a73 (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 6.6.33 , ≤ 6.6.* (semver) Unaffected: 6.8.12 , ≤ 6.8.* (semver) Unaffected: 6.9.3 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:14:22.126008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:56.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/glock.c",
"fs/gfs2/glock.h",
"fs/gfs2/incore.h",
"fs/gfs2/lock_dlm.c",
"fs/gfs2/ops_fstype.c",
"fs/gfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0636b34b44589b142700ac137b5f69802cfe2e37",
"status": "affected",
"version": "fb6791d100d1bba20b5cdbc4912e1f7086ec60f8",
"versionType": "git"
},
{
"lessThan": "e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0",
"status": "affected",
"version": "fb6791d100d1bba20b5cdbc4912e1f7086ec60f8",
"versionType": "git"
},
{
"lessThan": "501cd8fabf621d10bd4893e37f6ce6c20523c8ca",
"status": "affected",
"version": "fb6791d100d1bba20b5cdbc4912e1f7086ec60f8",
"versionType": "git"
},
{
"lessThan": "d98779e687726d8f8860f1c54b5687eec5f63a73",
"status": "affected",
"version": "fb6791d100d1bba20b5cdbc4912e1f7086ec60f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/glock.c",
"fs/gfs2/glock.h",
"fs/gfs2/incore.h",
"fs/gfs2/lock_dlm.c",
"fs/gfs2/ops_fstype.c",
"fs/gfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.12",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix potential glock use-after-free on unmount\n\nWhen a DLM lockspace is released and there ares still locks in that\nlockspace, DLM will unlock those locks automatically. Commit\nfb6791d100d1b started exploiting this behavior to speed up filesystem\nunmount: gfs2 would simply free glocks it didn\u0027t want to unlock and then\nrelease the lockspace. This didn\u0027t take the bast callbacks for\nasynchronous lock contention notifications into account, which remain\nactive until until a lock is unlocked or its lockspace is released.\n\nTo prevent those callbacks from accessing deallocated objects, put the\nglocks that should not be unlocked on the sd_dead_glocks list, release\nthe lockspace, and only then free those glocks.\n\nAs an additional measure, ignore unexpected ast and bast callbacks if\nthe receiving glock is dead."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:19:16.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0636b34b44589b142700ac137b5f69802cfe2e37"
},
{
"url": "https://git.kernel.org/stable/c/e42e8a24d7f02d28763d16ca7ec5fc6d1f142af0"
},
{
"url": "https://git.kernel.org/stable/c/501cd8fabf621d10bd4893e37f6ce6c20523c8ca"
},
{
"url": "https://git.kernel.org/stable/c/d98779e687726d8f8860f1c54b5687eec5f63a73"
}
],
"title": "gfs2: Fix potential glock use-after-free on unmount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38570",
"datePublished": "2024-06-19T13:35:36.274Z",
"dateReserved": "2024-06-18T19:36:34.923Z",
"dateUpdated": "2026-05-11T20:19:16.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39502 (GCVE-0-2024-39502)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:20 – Updated: 2026-05-12 11:55
VLAI
EPSS
Title
ionic: fix use after netif_napi_del()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ionic: fix use after netif_napi_del()
When queues are started, netif_napi_add() and napi_enable() are called.
If there are 4 queues and only 3 queues are used for the current
configuration, only 3 queues' napi should be registered and enabled.
The ionic_qcq_enable() checks whether the .poll pointer is not NULL for
enabling only the using queue' napi. Unused queues' napi will not be
registered by netif_napi_add(), so the .poll pointer indicates NULL.
But it couldn't distinguish whether the napi was unregistered or not
because netif_napi_del() doesn't reset the .poll pointer to NULL.
So, ionic_qcq_enable() calls napi_enable() for the queue, which was
unregistered by netif_napi_del().
Reproducer:
ethtool -L <interface name> rx 1 tx 1 combined 0
ethtool -L <interface name> rx 0 tx 0 combined 1
ethtool -L <interface name> rx 0 tx 0 combined 4
Splat looks like:
kernel BUG at net/core/dev.c:6666!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16
Workqueue: events ionic_lif_deferred_work [ionic]
RIP: 0010:napi_enable+0x3b/0x40
Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f
RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28
RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20
FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<TASK>
? die+0x33/0x90
? do_trap+0xd9/0x100
? napi_enable+0x3b/0x40
? do_error_trap+0x83/0xb0
? napi_enable+0x3b/0x40
? napi_enable+0x3b/0x40
? exc_invalid_op+0x4e/0x70
? napi_enable+0x3b/0x40
? asm_exc_invalid_op+0x16/0x20
? napi_enable+0x3b/0x40
ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]
process_one_work+0x145/0x360
worker_thread+0x2bb/0x3d0
? __pfx_worker_thread+0x10/0x10
kthread+0xcc/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < 0d19267cb150e8f76ade210e16ee820a77f684e7
(git)
Affected: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < ff9c2a9426ecf5b9631e9fd74993b357262387d6 (git) Affected: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < 8edd18dab443863e9e48f084e7f123fca3065e4e (git) Affected: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < 60cd714871cd5a683353a355cbb17a685245cf84 (git) Affected: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < 183ebc167a8a19e916b885d4bb61a3491991bfa5 (git) Affected: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < a87d72b37b9ec2c1e18fe36b09241d8b30334a2e (git) Affected: 0f3154e6bcb354968cc04f7cd86ce466f7b9a814 , < 79f18a41dd056115d685f3b0a419c7cd40055e13 (git) |
|
| Linux | Linux |
Affected:
5.4
Unaffected: 0 , < 5.4 (semver) Unaffected: 5.4.279 , ≤ 5.4.* (semver) Unaffected: 5.10.221 , ≤ 5.10.* (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.95 , ≤ 6.1.* (semver) Unaffected: 6.6.35 , ≤ 6.6.* (semver) Unaffected: 6.9.6 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:56:21.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:07:07.252622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:40.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:55:35.054Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_lif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d19267cb150e8f76ade210e16ee820a77f684e7",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
},
{
"lessThan": "ff9c2a9426ecf5b9631e9fd74993b357262387d6",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
},
{
"lessThan": "8edd18dab443863e9e48f084e7f123fca3065e4e",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
},
{
"lessThan": "60cd714871cd5a683353a355cbb17a685245cf84",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
},
{
"lessThan": "183ebc167a8a19e916b885d4bb61a3491991bfa5",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
},
{
"lessThan": "a87d72b37b9ec2c1e18fe36b09241d8b30334a2e",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
},
{
"lessThan": "79f18a41dd056115d685f3b0a419c7cd40055e13",
"status": "affected",
"version": "0f3154e6bcb354968cc04f7cd86ce466f7b9a814",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_lif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.279",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.95",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.35",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.6",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: fix use after netif_napi_del()\n\nWhen queues are started, netif_napi_add() and napi_enable() are called.\nIf there are 4 queues and only 3 queues are used for the current\nconfiguration, only 3 queues\u0027 napi should be registered and enabled.\nThe ionic_qcq_enable() checks whether the .poll pointer is not NULL for\nenabling only the using queue\u0027 napi. Unused queues\u0027 napi will not be\nregistered by netif_napi_add(), so the .poll pointer indicates NULL.\nBut it couldn\u0027t distinguish whether the napi was unregistered or not\nbecause netif_napi_del() doesn\u0027t reset the .poll pointer to NULL.\nSo, ionic_qcq_enable() calls napi_enable() for the queue, which was\nunregistered by netif_napi_del().\n\nReproducer:\n ethtool -L \u003cinterface name\u003e rx 1 tx 1 combined 0\n ethtool -L \u003cinterface name\u003e rx 0 tx 0 combined 1\n ethtool -L \u003cinterface name\u003e rx 0 tx 0 combined 4\n\nSplat looks like:\nkernel BUG at net/core/dev.c:6666!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16\nWorkqueue: events ionic_lif_deferred_work [ionic]\nRIP: 0010:napi_enable+0x3b/0x40\nCode: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f\nRSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28\nRBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001\nR10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000\nR13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20\nFS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? die+0x33/0x90\n ? do_trap+0xd9/0x100\n ? napi_enable+0x3b/0x40\n ? do_error_trap+0x83/0xb0\n ? napi_enable+0x3b/0x40\n ? napi_enable+0x3b/0x40\n ? exc_invalid_op+0x4e/0x70\n ? napi_enable+0x3b/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? napi_enable+0x3b/0x40\n ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]\n process_one_work+0x145/0x360\n worker_thread+0x2bb/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xcc/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:21:47.047Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d19267cb150e8f76ade210e16ee820a77f684e7"
},
{
"url": "https://git.kernel.org/stable/c/ff9c2a9426ecf5b9631e9fd74993b357262387d6"
},
{
"url": "https://git.kernel.org/stable/c/8edd18dab443863e9e48f084e7f123fca3065e4e"
},
{
"url": "https://git.kernel.org/stable/c/60cd714871cd5a683353a355cbb17a685245cf84"
},
{
"url": "https://git.kernel.org/stable/c/183ebc167a8a19e916b885d4bb61a3491991bfa5"
},
{
"url": "https://git.kernel.org/stable/c/a87d72b37b9ec2c1e18fe36b09241d8b30334a2e"
},
{
"url": "https://git.kernel.org/stable/c/79f18a41dd056115d685f3b0a419c7cd40055e13"
}
],
"title": "ionic: fix use after netif_napi_del()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-39502",
"datePublished": "2024-07-12T12:20:35.635Z",
"dateReserved": "2024-06-25T14:23:23.752Z",
"dateUpdated": "2026-05-12T11:55:35.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-40914 (GCVE-0-2024-40914)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:24 – Updated: 2026-05-23 15:50
VLAI
EPSS
Title
mm/huge_memory: don't unpoison huge_zero_folio
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: don't unpoison huge_zero_folio
When I did memory failure tests recently, below panic occurs:
kernel BUG at include/linux/mm.h:1135!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14
RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
Call Trace:
<TASK>
do_shrink_slab+0x14f/0x6a0
shrink_slab+0xca/0x8c0
shrink_node+0x2d0/0x7d0
balance_pgdat+0x33a/0x720
kswapd+0x1f3/0x410
kthread+0xd5/0x100
ret_from_fork+0x2f/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>
Modules linked in: mce_inject hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
The root cause is that HWPoison flag will be set for huge_zero_folio
without increasing the folio refcnt. But then unpoison_memory() will
decrease the folio refcnt unexpectedly as it appears like a successfully
hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when
releasing huge_zero_folio.
Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue.
We're not prepared to unpoison huge_zero_folio yet.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f8f836100fff594cea8a0a027affb9d5520f09a7 , < 688bb46ad339497b5b7f527b6636d2afe04b46af
(git)
Affected: 478d134e9506c7e9bfe2830ed03dd85e97966313 , < b2494506f30675245a3e6787281f79601af087bf (git) Affected: 478d134e9506c7e9bfe2830ed03dd85e97966313 , < 0d73477af964dbd7396163a13817baf13940bca9 (git) Affected: 478d134e9506c7e9bfe2830ed03dd85e97966313 , < d72b7711919de49d92a67dfc844a6cf4c23dd794 (git) Affected: 478d134e9506c7e9bfe2830ed03dd85e97966313 , < fe6f86f4b40855a130a19aa589f9ba7f650423f4 (git) Affected: 13d9b8cd12f37d133b07ea5b323583e8a0c6b738 (git) Affected: 5.15.41 , < 5.15.162 (semver) Affected: 5.17.9 , < 5.18 (semver) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.95 , ≤ 6.1.* (semver) Unaffected: 6.6.35 , ≤ 6.6.* (semver) Unaffected: 6.9.6 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:57:44.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:05:52.834846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:39.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "688bb46ad339497b5b7f527b6636d2afe04b46af",
"status": "affected",
"version": "f8f836100fff594cea8a0a027affb9d5520f09a7",
"versionType": "git"
},
{
"lessThan": "b2494506f30675245a3e6787281f79601af087bf",
"status": "affected",
"version": "478d134e9506c7e9bfe2830ed03dd85e97966313",
"versionType": "git"
},
{
"lessThan": "0d73477af964dbd7396163a13817baf13940bca9",
"status": "affected",
"version": "478d134e9506c7e9bfe2830ed03dd85e97966313",
"versionType": "git"
},
{
"lessThan": "d72b7711919de49d92a67dfc844a6cf4c23dd794",
"status": "affected",
"version": "478d134e9506c7e9bfe2830ed03dd85e97966313",
"versionType": "git"
},
{
"lessThan": "fe6f86f4b40855a130a19aa589f9ba7f650423f4",
"status": "affected",
"version": "478d134e9506c7e9bfe2830ed03dd85e97966313",
"versionType": "git"
},
{
"status": "affected",
"version": "13d9b8cd12f37d133b07ea5b323583e8a0c6b738",
"versionType": "git"
},
{
"lessThan": "5.15.162",
"status": "affected",
"version": "5.15.41",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory-failure.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.95",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.35",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: don\u0027t unpoison huge_zero_folio\n\nWhen I did memory failure tests recently, below panic occurs:\n\n kernel BUG at include/linux/mm.h:1135!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n do_shrink_slab+0x14f/0x6a0\n shrink_slab+0xca/0x8c0\n shrink_node+0x2d0/0x7d0\n balance_pgdat+0x33a/0x720\n kswapd+0x1f3/0x410\n kthread+0xd5/0x100\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n Modules linked in: mce_inject hwpoison_inject\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\n RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\n RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\n RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\n RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\n R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\n FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\n\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\n\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe\u0027re not prepared to unpoison huge_zero_folio yet."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:50:52.644Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af"
},
{
"url": "https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf"
},
{
"url": "https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9"
},
{
"url": "https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794"
},
{
"url": "https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4"
}
],
"title": "mm/huge_memory: don\u0027t unpoison huge_zero_folio",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40914",
"datePublished": "2024-07-12T12:24:58.055Z",
"dateReserved": "2024-07-12T12:17:45.581Z",
"dateUpdated": "2026-05-23T15:50:52.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-40956 (GCVE-0-2024-40956)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:31 – Updated: 2026-05-11 20:23
VLAI
EPSS
Title
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list
Use list_for_each_entry_safe() to allow iterating through the list and
deleting the entry in the iteration process. The descriptor is freed via
idxd_desc_complete() and there's a slight chance may cause issue for
the list iterator when the descriptor is reused by another thread
without it being deleted from the list.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
16e19e11228ba660d9e322035635e7dcf160d5c2 , < 1b08bf5a17c66ab7dbb628df5344da53c8e7ab33
(git)
Affected: 16e19e11228ba660d9e322035635e7dcf160d5c2 , < 83163667d881100a485b6c2daa30301b7f68d9b5 (git) Affected: 16e19e11228ba660d9e322035635e7dcf160d5c2 , < faa35db78b058a2ab6e074ee283f69fa398c36a8 (git) Affected: 16e19e11228ba660d9e322035635e7dcf160d5c2 , < a14968921486793f2a956086895c3793761309dd (git) Affected: 16e19e11228ba660d9e322035635e7dcf160d5c2 , < e3215deca4520773cd2b155bed164c12365149a7 (git) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.96 , ≤ 6.1.* (semver) Unaffected: 6.6.36 , ≤ 6.6.* (semver) Unaffected: 6.9.7 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:58:20.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:03:42.094021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:24.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b08bf5a17c66ab7dbb628df5344da53c8e7ab33",
"status": "affected",
"version": "16e19e11228ba660d9e322035635e7dcf160d5c2",
"versionType": "git"
},
{
"lessThan": "83163667d881100a485b6c2daa30301b7f68d9b5",
"status": "affected",
"version": "16e19e11228ba660d9e322035635e7dcf160d5c2",
"versionType": "git"
},
{
"lessThan": "faa35db78b058a2ab6e074ee283f69fa398c36a8",
"status": "affected",
"version": "16e19e11228ba660d9e322035635e7dcf160d5c2",
"versionType": "git"
},
{
"lessThan": "a14968921486793f2a956086895c3793761309dd",
"status": "affected",
"version": "16e19e11228ba660d9e322035635e7dcf160d5c2",
"versionType": "git"
},
{
"lessThan": "e3215deca4520773cd2b155bed164c12365149a7",
"status": "affected",
"version": "16e19e11228ba660d9e322035635e7dcf160d5c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/idxd/irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.96",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list\n\nUse list_for_each_entry_safe() to allow iterating through the list and\ndeleting the entry in the iteration process. The descriptor is freed via\nidxd_desc_complete() and there\u0027s a slight chance may cause issue for\nthe list iterator when the descriptor is reused by another thread\nwithout it being deleted from the list."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:23:05.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b08bf5a17c66ab7dbb628df5344da53c8e7ab33"
},
{
"url": "https://git.kernel.org/stable/c/83163667d881100a485b6c2daa30301b7f68d9b5"
},
{
"url": "https://git.kernel.org/stable/c/faa35db78b058a2ab6e074ee283f69fa398c36a8"
},
{
"url": "https://git.kernel.org/stable/c/a14968921486793f2a956086895c3793761309dd"
},
{
"url": "https://git.kernel.org/stable/c/e3215deca4520773cd2b155bed164c12365149a7"
}
],
"title": "dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40956",
"datePublished": "2024-07-12T12:31:59.027Z",
"dateReserved": "2024-07-12T12:17:45.593Z",
"dateUpdated": "2026-05-11T20:23:05.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…