CVE-2024-26740 (GCVE-0-2024-26740)

Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2026-05-11 20:03
VLAI
Title
net/sched: act_mirred: use the backlog for mirred ingress
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: use the backlog for mirred ingress The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress") hangs our testing VMs every 10 or so runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by lockdep. The problem as previously described by Davide (see Link) is that if we reverse flow of traffic with the redirect (egress -> ingress) we may reach the same socket which generated the packet. And we may still be holding its socket lock. The common solution to such deadlocks is to put the packet in the Rx backlog, rather than run the Rx path inline. Do that for all egress -> ingress reversals, not just once we started to nest mirred calls. In the past there was a concern that the backlog indirection will lead to loss of error reporting / less accurate stats. But the current workaround does not seem to address the issue.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 53592b3640019f2834701093e38272fdfd367ad8 , < 7c787888d164689da8b1b115f3ef562c1e843af4 (git)
Affected: 53592b3640019f2834701093e38272fdfd367ad8 , < 60ddea1600bc476e0f5e02bce0e29a460ccbf0be (git)
Affected: 53592b3640019f2834701093e38272fdfd367ad8 , < 52f671db18823089a02f07efc04efdb2272ddc17 (git)
Create a notification for this product.
Linux Linux Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 6.6.19 , ≤ 6.6.* (semver)
Unaffected: 6.7.7 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:12.957Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26740",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:51:50.686758Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:17.875Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_mirred.c",
            "tools/testing/selftests/net/forwarding/tc_actions.sh"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7c787888d164689da8b1b115f3ef562c1e843af4",
              "status": "affected",
              "version": "53592b3640019f2834701093e38272fdfd367ad8",
              "versionType": "git"
            },
            {
              "lessThan": "60ddea1600bc476e0f5e02bce0e29a460ccbf0be",
              "status": "affected",
              "version": "53592b3640019f2834701093e38272fdfd367ad8",
              "versionType": "git"
            },
            {
              "lessThan": "52f671db18823089a02f07efc04efdb2272ddc17",
              "status": "affected",
              "version": "53592b3640019f2834701093e38272fdfd367ad8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_mirred.c",
            "tools/testing/selftests/net/forwarding/tc_actions.sh"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.19",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -\u003e tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -\u003e ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -\u003e ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:03:14.566Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4"
        },
        {
          "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be"
        },
        {
          "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17"
        }
      ],
      "title": "net/sched: act_mirred: use the backlog for mirred ingress",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26740",
    "datePublished": "2024-04-03T17:00:25.534Z",
    "dateReserved": "2024-02-19T14:20:24.166Z",
    "dateUpdated": "2026-05-11T20:03:14.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-26740",
      "date": "2026-06-11",
      "epss": "7e-05",
      "percentile": "0.00591"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: use the backlog for mirred ingress\\n\\nThe test Davide added in commit ca22da2fbd69 (\\\"act_mirred: use the backlog\\nfor nested calls to mirred ingress\\\") hangs our testing VMs every 10 or so\\nruns, with the familiar tcp_v4_rcv -\u003e tcp_v4_rcv deadlock reported by\\nlockdep.\\n\\nThe problem as previously described by Davide (see Link) is that\\nif we reverse flow of traffic with the redirect (egress -\u003e ingress)\\nwe may reach the same socket which generated the packet. And we may\\nstill be holding its socket lock. The common solution to such deadlocks\\nis to put the packet in the Rx backlog, rather than run the Rx path\\ninline. Do that for all egress -\u003e ingress reversals, not just once\\nwe started to nest mirred calls.\\n\\nIn the past there was a concern that the backlog indirection will\\nlead to loss of error reporting / less accurate stats. But the current\\nworkaround does not seem to address the issue.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: net/sched: act_mirred: use el trabajo pendiente para el ingreso duplicado. La prueba que Davide agreg\\u00f3 en el compromiso ca22da2fbd69 (\\\"act_mirred: use el trabajo pendiente para llamadas anidadas para el ingreso duplicado\\\") bloquea nuestras m\\u00e1quinas virtuales de prueba. aproximadamente cada 10 ejecuciones, con el conocido punto muerto tcp_v4_rcv -\u0026gt; tcp_v4_rcv informado por lockdep. El problema descrito anteriormente por Davide (ver Enlace) es que si invertimos el flujo de tr\\u00e1fico con la redirecci\\u00f3n (salida -\u0026gt; entrada) podemos llegar al mismo socket que gener\\u00f3 el paquete. Y es posible que todav\\u00eda estemos sosteniendo el bloqueo del enchufe. La soluci\\u00f3n com\\u00fan a estos puntos muertos es colocar el paquete en el trabajo pendiente de Rx, en lugar de ejecutar la ruta de Rx en l\\u00ednea. Haga eso para todas las reversiones de salida -\u0026gt; entrada, no solo una vez que comenzamos a anidar llamadas reflejadas. En el pasado, exist\\u00eda la preocupaci\\u00f3n de que la direcci\\u00f3n indirecta del trabajo pendiente provocara la p\\u00e9rdida de informes de errores o estad\\u00edsticas menos precisas. Pero la soluci\\u00f3n actual no parece solucionar el problema.\"}]",
      "id": "CVE-2024-26740",
      "lastModified": "2024-11-21T09:02:57.653",
      "published": "2024-04-03T17:15:51.410",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26740\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-03T17:15:51.410\",\"lastModified\":\"2025-03-17T16:03:33.700\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: use the backlog for mirred ingress\\n\\nThe test Davide added in commit ca22da2fbd69 (\\\"act_mirred: use the backlog\\nfor nested calls to mirred ingress\\\") hangs our testing VMs every 10 or so\\nruns, with the familiar tcp_v4_rcv -\u003e tcp_v4_rcv deadlock reported by\\nlockdep.\\n\\nThe problem as previously described by Davide (see Link) is that\\nif we reverse flow of traffic with the redirect (egress -\u003e ingress)\\nwe may reach the same socket which generated the packet. And we may\\nstill be holding its socket lock. The common solution to such deadlocks\\nis to put the packet in the Rx backlog, rather than run the Rx path\\ninline. Do that for all egress -\u003e ingress reversals, not just once\\nwe started to nest mirred calls.\\n\\nIn the past there was a concern that the backlog indirection will\\nlead to loss of error reporting / less accurate stats. But the current\\nworkaround does not seem to address the issue.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/sched: act_mirred: use el trabajo pendiente para el ingreso duplicado. La prueba que Davide agreg\u00f3 en el compromiso ca22da2fbd69 (\\\"act_mirred: use el trabajo pendiente para llamadas anidadas para el ingreso duplicado\\\") bloquea nuestras m\u00e1quinas virtuales de prueba. aproximadamente cada 10 ejecuciones, con el conocido punto muerto tcp_v4_rcv -\u0026gt; tcp_v4_rcv informado por lockdep. El problema descrito anteriormente por Davide (ver Enlace) es que si invertimos el flujo de tr\u00e1fico con la redirecci\u00f3n (salida -\u0026gt; entrada) podemos llegar al mismo socket que gener\u00f3 el paquete. Y es posible que todav\u00eda estemos sosteniendo el bloqueo del enchufe. La soluci\u00f3n com\u00fan a estos puntos muertos es colocar el paquete en el trabajo pendiente de Rx, en lugar de ejecutar la ruta de Rx en l\u00ednea. Haga eso para todas las reversiones de salida -\u0026gt; entrada, no solo una vez que comenzamos a anidar llamadas reflejadas. En el pasado, exist\u00eda la preocupaci\u00f3n de que la direcci\u00f3n indirecta del trabajo pendiente provocara la p\u00e9rdida de informes de errores o estad\u00edsticas menos precisas. Pero la soluci\u00f3n actual no parece solucionar el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10\",\"versionEndExcluding\":\"6.6.19\",\"matchCriteriaId\":\"B5C84E54-75C3-403F-84B4-D99BD4F89D01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.7\",\"matchCriteriaId\":\"575EE16B-67F2-4B5B-B5F8-1877715C898B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9F4EA73-0894-400F-A490-3A397AB7A517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"056BD938-0A27-4569-B391-30578B309EE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F02056A5-B362-4370-9FF8-6F0BD384D520\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"62075ACE-B2A0-4B16-829D-B3DA5AE5CC41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"A780F817-2A77-4130-A9B7-5C25606314E3\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:12.957Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26740\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:51:50.686758Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:15.995Z\"}}], \"cna\": {\"title\": \"net/sched: act_mirred: use the backlog for mirred ingress\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"53592b3640019f2834701093e38272fdfd367ad8\", \"lessThan\": \"7c787888d164689da8b1b115f3ef562c1e843af4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"53592b3640019f2834701093e38272fdfd367ad8\", \"lessThan\": \"60ddea1600bc476e0f5e02bce0e29a460ccbf0be\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"53592b3640019f2834701093e38272fdfd367ad8\", \"lessThan\": \"52f671db18823089a02f07efc04efdb2272ddc17\", \"versionType\": \"git\"}], \"programFiles\": [\"net/sched/act_mirred.c\", \"tools/testing/selftests/net/forwarding/tc_actions.sh\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/sched/act_mirred.c\", \"tools/testing/selftests/net/forwarding/tc_actions.sh\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4\"}, {\"url\": \"https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be\"}, {\"url\": \"https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_mirred: use the backlog for mirred ingress\\n\\nThe test Davide added in commit ca22da2fbd69 (\\\"act_mirred: use the backlog\\nfor nested calls to mirred ingress\\\") hangs our testing VMs every 10 or so\\nruns, with the familiar tcp_v4_rcv -\u003e tcp_v4_rcv deadlock reported by\\nlockdep.\\n\\nThe problem as previously described by Davide (see Link) is that\\nif we reverse flow of traffic with the redirect (egress -\u003e ingress)\\nwe may reach the same socket which generated the packet. And we may\\nstill be holding its socket lock. The common solution to such deadlocks\\nis to put the packet in the Rx backlog, rather than run the Rx path\\ninline. Do that for all egress -\u003e ingress reversals, not just once\\nwe started to nest mirred calls.\\n\\nIn the past there was a concern that the backlog indirection will\\nlead to loss of error reporting / less accurate stats. But the current\\nworkaround does not seem to address the issue.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.19\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.7\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"4.10\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:03:14.566Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26740\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:03:14.566Z\", \"dateReserved\": \"2024-02-19T14:20:24.166Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-03T17:00:25.534Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.