CVE-2024-26737 (GCVE-0-2024-26737)

Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2026-05-11 20:03
VLAI
Title
bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < 5268bb02107b9eedfdcd51db75b407d10043368c (git)
Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < addf5e297e6cbf5341f9c07720693ca9ba0057b5 (git)
Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < 8327ed12e8ebc5436bfaa1786c49988894f9c8a6 (git)
Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < 7d80a9e745fa5b47da3bca001f186c02485c7c33 (git)
Affected: b00628b1c7d595ae5b544e059c27b1f5828314b4 , < 0281b919e175bb9c3128bd3872ac2903e9436e3f (git)
Create a notification for this product.
Linux Linux Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.150 , ≤ 5.15.* (semver)
Unaffected: 6.1.80 , ≤ 6.1.* (semver)
Unaffected: 6.6.19 , ≤ 6.6.* (semver)
Unaffected: 6.7.7 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26737",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-03T19:13:11.173900Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T18:51:47.375Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.230Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5268bb02107b9eedfdcd51db75b407d10043368c",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "addf5e297e6cbf5341f9c07720693ca9ba0057b5",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "8327ed12e8ebc5436bfaa1786c49988894f9c8a6",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "7d80a9e745fa5b47da3bca001f186c02485c7c33",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "0281b919e175bb9c3128bd3872ac2903e9436e3f",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.150",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.80",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.7",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer-\u003etimer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer-\u003etime;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer-\u003etimer;\n\t\t\t\t\t\ttimer-\u003etimer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(\u0026t-\u003etimer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(\u0026t-\u003etimer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer-\u003etimer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer-\u003etimer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer-\u003etimer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer-\u003etimer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t-\u003eflag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done.  In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer-\u003etimer after\na rcu grace period."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:03:10.783Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c"
        },
        {
          "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33"
        },
        {
          "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f"
        }
      ],
      "title": "bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26737",
    "datePublished": "2024-04-03T17:00:23.414Z",
    "dateReserved": "2024-02-19T14:20:24.166Z",
    "dateUpdated": "2026-05-11T20:03:10.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-26737",
      "date": "2026-06-17",
      "epss": "0.00241",
      "percentile": "0.15034"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\\n\\nThe following race is possible between bpf_timer_cancel_and_free\\nand bpf_timer_cancel. It will lead a UAF on the timer-\u003etimer.\\n\\nbpf_timer_cancel();\\n\\tspin_lock();\\n\\tt = timer-\u003etime;\\n\\tspin_unlock();\\n\\n\\t\\t\\t\\t\\tbpf_timer_cancel_and_free();\\n\\t\\t\\t\\t\\t\\tspin_lock();\\n\\t\\t\\t\\t\\t\\tt = timer-\u003etimer;\\n\\t\\t\\t\\t\\t\\ttimer-\u003etimer = NULL;\\n\\t\\t\\t\\t\\t\\tspin_unlock();\\n\\t\\t\\t\\t\\t\\thrtimer_cancel(\u0026t-\u003etimer);\\n\\t\\t\\t\\t\\t\\tkfree(t);\\n\\n\\t/* UAF on t */\\n\\thrtimer_cancel(\u0026t-\u003etimer);\\n\\nIn bpf_timer_cancel_and_free, this patch frees the timer-\u003etimer\\nafter a rcu grace period. This requires a rcu_head addition\\nto the \\\"struct bpf_hrtimer\\\". Another kfree(t) happens in bpf_timer_init,\\nthis does not need a kfree_rcu because it is still under the\\nspin_lock and timer-\u003etimer has not been visible by others yet.\\n\\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\\ncan be used in a non rcu critical section context (e.g. from\\na sleepable bpf prog). Other timer-\u003etimer usages in helpers.c\\nhave been audited, bpf_timer_cancel() is the only place where\\ntimer-\u003etimer is used outside of the spin_lock.\\n\\nAnother solution considered is to mark a t-\u003eflag in bpf_timer_cancel\\nand clear it after hrtimer_cancel() is done.  In bpf_timer_cancel_and_free,\\nit busy waits for the flag to be cleared before kfree(t). This patch\\ngoes with a straight forward solution and frees timer-\u003etimer after\\na rcu grace period.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Correcci\\u00f3n de ejecuci\\u00f3ns entre bpf_timer_cancel_and_free y bpf_timer_cancel La siguiente ejecuci\\u00f3n es posible entre bpf_timer_cancel_and_free y bpf_timer_cancel. Dirigir\\u00e1 una UAF en el temporizador-\u0026gt;temporizador. bpf_timer_cancel(); spin_lock(); t = temporizador-\u0026gt;tiempo; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = temporizador-\u0026gt;temporizador; temporizador-\u0026gt;temporizador = NULL; spin_unlock(); hrtimer_cancel(\u0026amp;t-\u0026gt;temporizador); klibre(t); /* UAF en t */ hrtimer_cancel(\u0026amp;t-\u0026gt;timer); En bpf_timer_cancel_and_free, este parche libera el temporizador-\u0026gt;temporizador despu\\u00e9s de un per\\u00edodo de gracia de rcu. Esto requiere una adici\\u00f3n de rcu_head a \\\"struct bpf_hrtimer\\\". Otro kfree(t) ocurre en bpf_timer_init, esto no necesita un kfree_rcu porque todav\\u00eda est\\u00e1 bajo spin_lock y otros a\\u00fan no han visible el temporizador-\u0026gt;temporizador. En bpf_timer_cancel, se agrega rcu_read_lock() porque este asistente puede usarse en un contexto de secci\\u00f3n no cr\\u00edtica para rcu (por ejemplo, desde un programa bpf que se puede dormir). Se han auditado otros usos de temporizador-\u0026gt;temporizador en helpers.c, bpf_timer_cancel() es el \\u00fanico lugar donde se usa temporizador-\u0026gt;temporizador fuera de spin_lock. Otra soluci\\u00f3n considerada es marcar una bandera t-\u0026gt; en bpf_timer_cancel y borrarla una vez finalizado hrtimer_cancel(). En bpf_timer_cancel_and_free, est\\u00e1 ocupado esperando a que se borre la bandera antes de kfree(t). Este parche incluye una soluci\\u00f3n sencilla y libera el temporizador-\u0026gt;temporizador despu\\u00e9s de un per\\u00edodo de gracia de rcu.\"}]",
      "id": "CVE-2024-26737",
      "lastModified": "2024-11-21T09:02:57.210",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-04-03T17:15:51.243",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26737\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-03T17:15:51.243\",\"lastModified\":\"2025-04-04T14:34:28.903\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\\n\\nThe following race is possible between bpf_timer_cancel_and_free\\nand bpf_timer_cancel. It will lead a UAF on the timer-\u003etimer.\\n\\nbpf_timer_cancel();\\n\\tspin_lock();\\n\\tt = timer-\u003etime;\\n\\tspin_unlock();\\n\\n\\t\\t\\t\\t\\tbpf_timer_cancel_and_free();\\n\\t\\t\\t\\t\\t\\tspin_lock();\\n\\t\\t\\t\\t\\t\\tt = timer-\u003etimer;\\n\\t\\t\\t\\t\\t\\ttimer-\u003etimer = NULL;\\n\\t\\t\\t\\t\\t\\tspin_unlock();\\n\\t\\t\\t\\t\\t\\thrtimer_cancel(\u0026t-\u003etimer);\\n\\t\\t\\t\\t\\t\\tkfree(t);\\n\\n\\t/* UAF on t */\\n\\thrtimer_cancel(\u0026t-\u003etimer);\\n\\nIn bpf_timer_cancel_and_free, this patch frees the timer-\u003etimer\\nafter a rcu grace period. This requires a rcu_head addition\\nto the \\\"struct bpf_hrtimer\\\". Another kfree(t) happens in bpf_timer_init,\\nthis does not need a kfree_rcu because it is still under the\\nspin_lock and timer-\u003etimer has not been visible by others yet.\\n\\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\\ncan be used in a non rcu critical section context (e.g. from\\na sleepable bpf prog). Other timer-\u003etimer usages in helpers.c\\nhave been audited, bpf_timer_cancel() is the only place where\\ntimer-\u003etimer is used outside of the spin_lock.\\n\\nAnother solution considered is to mark a t-\u003eflag in bpf_timer_cancel\\nand clear it after hrtimer_cancel() is done.  In bpf_timer_cancel_and_free,\\nit busy waits for the flag to be cleared before kfree(t). This patch\\ngoes with a straight forward solution and frees timer-\u003etimer after\\na rcu grace period.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Correcci\u00f3n de ejecuci\u00f3ns entre bpf_timer_cancel_and_free y bpf_timer_cancel La siguiente ejecuci\u00f3n es posible entre bpf_timer_cancel_and_free y bpf_timer_cancel. Dirigir\u00e1 una UAF en el temporizador-\u0026gt;temporizador. bpf_timer_cancel(); spin_lock(); t = temporizador-\u0026gt;tiempo; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = temporizador-\u0026gt;temporizador; temporizador-\u0026gt;temporizador = NULL; spin_unlock(); hrtimer_cancel(\u0026amp;t-\u0026gt;temporizador); klibre(t); /* UAF en t */ hrtimer_cancel(\u0026amp;t-\u0026gt;timer); En bpf_timer_cancel_and_free, este parche libera el temporizador-\u0026gt;temporizador despu\u00e9s de un per\u00edodo de gracia de rcu. Esto requiere una adici\u00f3n de rcu_head a \\\"struct bpf_hrtimer\\\". Otro kfree(t) ocurre en bpf_timer_init, esto no necesita un kfree_rcu porque todav\u00eda est\u00e1 bajo spin_lock y otros a\u00fan no han visible el temporizador-\u0026gt;temporizador. En bpf_timer_cancel, se agrega rcu_read_lock() porque este asistente puede usarse en un contexto de secci\u00f3n no cr\u00edtica para rcu (por ejemplo, desde un programa bpf que se puede dormir). Se han auditado otros usos de temporizador-\u0026gt;temporizador en helpers.c, bpf_timer_cancel() es el \u00fanico lugar donde se usa temporizador-\u0026gt;temporizador fuera de spin_lock. Otra soluci\u00f3n considerada es marcar una bandera t-\u0026gt; en bpf_timer_cancel y borrarla una vez finalizado hrtimer_cancel(). En bpf_timer_cancel_and_free, est\u00e1 ocupado esperando a que se borre la bandera antes de kfree(t). Este parche incluye una soluci\u00f3n sencilla y libera el temporizador-\u0026gt;temporizador despu\u00e9s de un per\u00edodo de gracia de rcu.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15\",\"versionEndExcluding\":\"5.15.150\",\"matchCriteriaId\":\"CD186D78-4011-4C0F-87C3-C9E66FC1D487\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.80\",\"matchCriteriaId\":\"BA7850CE-97C9-4408-A348-6173296BCA2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.19\",\"matchCriteriaId\":\"8D82004C-B2AE-4048-9344-32EFF65953B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.7\",\"matchCriteriaId\":\"575EE16B-67F2-4B5B-B5F8-1877715C898B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9F4EA73-0894-400F-A490-3A397AB7A517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"056BD938-0A27-4569-B391-30578B309EE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F02056A5-B362-4370-9FF8-6F0BD384D520\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"62075ACE-B2A0-4B16-829D-B3DA5AE5CC41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"A780F817-2A77-4130-A9B7-5C25606314E3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:13.230Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26737\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-03T19:13:11.173900Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:21.859Z\"}}], \"cna\": {\"title\": \"bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"b00628b1c7d595ae5b544e059c27b1f5828314b4\", \"lessThan\": \"5268bb02107b9eedfdcd51db75b407d10043368c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b00628b1c7d595ae5b544e059c27b1f5828314b4\", \"lessThan\": \"addf5e297e6cbf5341f9c07720693ca9ba0057b5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b00628b1c7d595ae5b544e059c27b1f5828314b4\", \"lessThan\": \"8327ed12e8ebc5436bfaa1786c49988894f9c8a6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b00628b1c7d595ae5b544e059c27b1f5828314b4\", \"lessThan\": \"7d80a9e745fa5b47da3bca001f186c02485c7c33\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b00628b1c7d595ae5b544e059c27b1f5828314b4\", \"lessThan\": \"0281b919e175bb9c3128bd3872ac2903e9436e3f\", \"versionType\": \"git\"}], \"programFiles\": [\"kernel/bpf/helpers.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.15\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.15\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.150\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.80\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"kernel/bpf/helpers.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c\"}, {\"url\": \"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5\"}, {\"url\": \"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6\"}, {\"url\": \"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33\"}, {\"url\": \"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\\n\\nThe following race is possible between bpf_timer_cancel_and_free\\nand bpf_timer_cancel. It will lead a UAF on the timer-\u003etimer.\\n\\nbpf_timer_cancel();\\n\\tspin_lock();\\n\\tt = timer-\u003etime;\\n\\tspin_unlock();\\n\\n\\t\\t\\t\\t\\tbpf_timer_cancel_and_free();\\n\\t\\t\\t\\t\\t\\tspin_lock();\\n\\t\\t\\t\\t\\t\\tt = timer-\u003etimer;\\n\\t\\t\\t\\t\\t\\ttimer-\u003etimer = NULL;\\n\\t\\t\\t\\t\\t\\tspin_unlock();\\n\\t\\t\\t\\t\\t\\thrtimer_cancel(\u0026t-\u003etimer);\\n\\t\\t\\t\\t\\t\\tkfree(t);\\n\\n\\t/* UAF on t */\\n\\thrtimer_cancel(\u0026t-\u003etimer);\\n\\nIn bpf_timer_cancel_and_free, this patch frees the timer-\u003etimer\\nafter a rcu grace period. This requires a rcu_head addition\\nto the \\\"struct bpf_hrtimer\\\". Another kfree(t) happens in bpf_timer_init,\\nthis does not need a kfree_rcu because it is still under the\\nspin_lock and timer-\u003etimer has not been visible by others yet.\\n\\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\\ncan be used in a non rcu critical section context (e.g. from\\na sleepable bpf prog). Other timer-\u003etimer usages in helpers.c\\nhave been audited, bpf_timer_cancel() is the only place where\\ntimer-\u003etimer is used outside of the spin_lock.\\n\\nAnother solution considered is to mark a t-\u003eflag in bpf_timer_cancel\\nand clear it after hrtimer_cancel() is done.  In bpf_timer_cancel_and_free,\\nit busy waits for the flag to be cleared before kfree(t). This patch\\ngoes with a straight forward solution and frees timer-\u003etimer after\\na rcu grace period.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.150\", \"versionStartIncluding\": \"5.15\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.80\", \"versionStartIncluding\": \"5.15\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.19\", \"versionStartIncluding\": \"5.15\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.7\", \"versionStartIncluding\": \"5.15\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"5.15\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:03:10.783Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26737\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:03:10.783Z\", \"dateReserved\": \"2024-02-19T14:20:24.166Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-03T17:00:23.414Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.