CVE-2024-26859 (GCVE-0-2024-26859)

Vulnerability from cvelistv5 – Published: 2024-04-17 10:27 – Updated: 2026-05-12 11:49
VLAI
Title
net/bnx2x: Prevent access to a freed page in page_pool
Summary
In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2x_io_slot_reset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; 803 struct page *page = sw_buf->page; .... where sw_buf was set to NULL after the call to dma_unmap_page() by the preceding thread. EEH: Beginning: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 To solve this issue, we need to verify page pool allocations before freeing.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 7bcc090c81116c66936a7415f2c6b1483a4bcfd9 (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 4f37d3a7e004bbf560c21441ca9c022168017ec4 (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 8eebff95ce9558be66a36aa7cfb43223f3ab4699 (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598 (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < cf7d8cba639ae792a42c2a137b495eac262ac36c (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < c51f8b6930db3f259b8820b589f2459d2df3fc68 (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < 44f9f1abb0ecc43023225ab9539167facbabf0ec (git)
Affected: 4cace675d687ebd2d813e90af80ff87ee85202f9 , < d27e2da94a42655861ca4baea30c8cd65546f25d (git)
Create a notification for this product.
Linux Linux Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 4.19.311 , ≤ 4.19.* (semver)
Unaffected: 5.4.273 , ≤ 5.4.* (semver)
Unaffected: 5.10.214 , ≤ 5.10.* (semver)
Unaffected: 5.15.153 , ≤ 5.15.* (semver)
Unaffected: 6.1.83 , ≤ 6.1.* (semver)
Unaffected: 6.6.23 , ≤ 6.6.* (semver)
Unaffected: 6.7.11 , ≤ 6.7.* (semver)
Unaffected: 6.8.2 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem Affected: 0 , < * (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26859",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T14:02:31.556726Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:09.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.698Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:49:36.248Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bcc090c81116c66936a7415f2c6b1483a4bcfd9",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "4f37d3a7e004bbf560c21441ca9c022168017ec4",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "8eebff95ce9558be66a36aa7cfb43223f3ab4699",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "cf7d8cba639ae792a42c2a137b495eac262ac36c",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "c51f8b6930db3f259b8820b589f2459d2df3fc68",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "44f9f1abb0ecc43023225ab9539167facbabf0ec",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            },
            {
              "lessThan": "d27e2da94a42655861ca4baea30c8cd65546f25d",
              "status": "affected",
              "version": "4cace675d687ebd2d813e90af80ff87ee85202f9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.311",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.273",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.214",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.311",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.273",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.214",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.153",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.83",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.23",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.11",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.2",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver\u0027s transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver\u0027s attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = \u0026fp-\u003erx_page_ring[index];\n803     struct page *page = sw_buf-\u003epage;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n    EEH: Beginning: \u0027slot_reset\u0027\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x-\u003eslot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -\u003e 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --\u003e driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:05:30.893Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68"
        },
        {
          "url": "https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d"
        }
      ],
      "title": "net/bnx2x: Prevent access to a freed page in page_pool",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26859",
    "datePublished": "2024-04-17T10:27:23.709Z",
    "dateReserved": "2024-02-19T14:20:24.183Z",
    "dateUpdated": "2026-05-12T11:49:36.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-26859",
      "date": "2026-06-25",
      "epss": "0.00182",
      "percentile": "0.07988"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/bnx2x: Prevent access to a freed page in page_pool\\n\\nFix race condition leading to system crash during EEH error handling\\n\\nDuring EEH error recovery, the bnx2x driver\u0027s transmit timeout logic\\ncould cause a race condition when handling reset tasks. The\\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\\noverlap with the EEH driver\u0027s attempt to reset the device using\\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\\ncondition can result in system crashes due to accessing freed memory\\nlocations in bnx2x_free_rx_sge()\\n\\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\\n800\\t\\t\\t\\tstruct bnx2x_fastpath *fp, u16 index)\\n801  {\\n802\\tstruct sw_rx_page *sw_buf = \u0026fp-\u003erx_page_ring[index];\\n803     struct page *page = sw_buf-\u003epage;\\n....\\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\\nby the preceding thread.\\n\\n    EEH: Beginning: \u0027slot_reset\u0027\\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x-\u003eslot_reset()\\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\\n    bnx2x 0011:01:00.0: enabling device (0140 -\u003e 0142)\\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --\u003e driver unload\\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\\n    Faulting instruction address: 0xc0080000025065fc\\n    Oops: Kernel access of bad area, sig: 11 [#1]\\n    .....\\n    Call Trace:\\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\\n\\nTo solve this issue, we need to verify page pool allocations before\\nfreeing.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/bnx2x: impide el acceso a una p\\u00e1gina liberada en page_pool. Repara la condici\\u00f3n de carrera que provoca un bloqueo del sistema durante el manejo de errores EEH. Durante la recuperaci\\u00f3n de errores EEH, la l\\u00f3gica de tiempo de espera de transmisi\\u00f3n del controlador bnx2x podr\\u00eda provocar una carrera. condici\\u00f3n al manejar tareas de reinicio. El bnx2x_tx_timeout() programa tareas de reinicio a trav\\u00e9s de bnx2x_sp_rtnl_task(), lo que finalmente conduce a bnx2x_nic_unload(). En bnx2x_nic_unload(), los SGE se liberan utilizando bnx2x_free_rx_sge_range(). Sin embargo, esto podr\\u00eda superponerse con el intento del controlador EEH de restablecer el dispositivo usando bnx2x_io_slot_reset(), que tambi\\u00e9n intenta liberar los SGE. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = \u0026amp;fp-\u0026gt;rx_page_ring [\\u00edndice]; 803 p\\u00e1gina de estructura *p\\u00e1gina = sw_buf-\u0026gt;p\\u00e1gina; .... donde sw_buf se configur\\u00f3 en NULL despu\\u00e9s de la llamada a dma_unmap_page() por el hilo anterior. EEH: Comienzo: \u0027slot_reset\u0027 PCI 0011:01:00.0#10000: EEH: Invocando bnx2x-\u0026gt;slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]Reinicio de ranura IO inicializando... bnx2x 0011:01:00.0: habilitando dispositivo (0140 -\u0026gt; 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]Restablecimiento de ranura IO --\u0026gt; descarga del controlador El kernel intent\\u00f3 leer la p\\u00e1gina del usuario (0): \\u00bfintento de explotaci\\u00f3n? (uid: 0) ERROR: Desreferencia del puntero NULL del kernel al leer en 0x00000000 Direcci\\u00f3n de instrucci\\u00f3n err\\u00f3nea: 0xc0080000025065fc Ups: Acceso al kernel del \\u00e1rea defectuosa, firma: 11 [#1] ..... Seguimiento de llamadas: [c000000003c67a20] [c00800000250658c] 2x_io_slot_reset +0x204/0x610 [bnx2x] (no confiable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] 180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler +0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Para resolver este problema, necesitamos verifique las asignaciones del grupo de p\\u00e1ginas antes de liberarlas.\"}]",
      "id": "CVE-2024-26859",
      "lastModified": "2024-11-21T09:03:14.013",
      "published": "2024-04-17T11:15:08.893",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26859\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:08.893\",\"lastModified\":\"2026-05-12T12:16:21.553\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/bnx2x: Prevent access to a freed page in page_pool\\n\\nFix race condition leading to system crash during EEH error handling\\n\\nDuring EEH error recovery, the bnx2x driver\u0027s transmit timeout logic\\ncould cause a race condition when handling reset tasks. The\\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\\noverlap with the EEH driver\u0027s attempt to reset the device using\\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\\ncondition can result in system crashes due to accessing freed memory\\nlocations in bnx2x_free_rx_sge()\\n\\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\\n800\\t\\t\\t\\tstruct bnx2x_fastpath *fp, u16 index)\\n801  {\\n802\\tstruct sw_rx_page *sw_buf = \u0026fp-\u003erx_page_ring[index];\\n803     struct page *page = sw_buf-\u003epage;\\n....\\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\\nby the preceding thread.\\n\\n    EEH: Beginning: \u0027slot_reset\u0027\\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x-\u003eslot_reset()\\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\\n    bnx2x 0011:01:00.0: enabling device (0140 -\u003e 0142)\\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --\u003e driver unload\\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\\n    Faulting instruction address: 0xc0080000025065fc\\n    Oops: Kernel access of bad area, sig: 11 [#1]\\n    .....\\n    Call Trace:\\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\\n\\nTo solve this issue, we need to verify page pool allocations before\\nfreeing.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/bnx2x: impide el acceso a una p\u00e1gina liberada en page_pool. Repara la condici\u00f3n de carrera que provoca un bloqueo del sistema durante el manejo de errores EEH. Durante la recuperaci\u00f3n de errores EEH, la l\u00f3gica de tiempo de espera de transmisi\u00f3n del controlador bnx2x podr\u00eda provocar una carrera. condici\u00f3n al manejar tareas de reinicio. El bnx2x_tx_timeout() programa tareas de reinicio a trav\u00e9s de bnx2x_sp_rtnl_task(), lo que finalmente conduce a bnx2x_nic_unload(). En bnx2x_nic_unload(), los SGE se liberan utilizando bnx2x_free_rx_sge_range(). Sin embargo, esto podr\u00eda superponerse con el intento del controlador EEH de restablecer el dispositivo usando bnx2x_io_slot_reset(), que tambi\u00e9n intenta liberar los SGE. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = \u0026amp;fp-\u0026gt;rx_page_ring [\u00edndice]; 803 p\u00e1gina de estructura *p\u00e1gina = sw_buf-\u0026gt;p\u00e1gina; .... donde sw_buf se configur\u00f3 en NULL despu\u00e9s de la llamada a dma_unmap_page() por el hilo anterior. EEH: Comienzo: \u0027slot_reset\u0027 PCI 0011:01:00.0#10000: EEH: Invocando bnx2x-\u0026gt;slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]Reinicio de ranura IO inicializando... bnx2x 0011:01:00.0: habilitando dispositivo (0140 -\u0026gt; 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]Restablecimiento de ranura IO --\u0026gt; descarga del controlador El kernel intent\u00f3 leer la p\u00e1gina del usuario (0): \u00bfintento de explotaci\u00f3n? (uid: 0) ERROR: Desreferencia del puntero NULL del kernel al leer en 0x00000000 Direcci\u00f3n de instrucci\u00f3n err\u00f3nea: 0xc0080000025065fc Ups: Acceso al kernel del \u00e1rea defectuosa, firma: 11 [#1] ..... Seguimiento de llamadas: [c000000003c67a20] [c00800000250658c] 2x_io_slot_reset +0x204/0x610 [bnx2x] (no confiable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] 180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler +0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Para resolver este problema, necesitamos verifique las asignaciones del grupo de p\u00e1ginas antes de liberarlas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2\",\"versionEndExcluding\":\"4.19.311\",\"matchCriteriaId\":\"AD980215-9885-4AEF-8844-E63A850472EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.273\",\"matchCriteriaId\":\"620FD8B7-BF03-43E0-951A-0A58461D4C55\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.214\",\"matchCriteriaId\":\"65987874-467B-4D3B-91D6-68A129B34FB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.153\",\"matchCriteriaId\":\"ACB69438-845D-4E3C-B114-3140611F9C0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.83\",\"matchCriteriaId\":\"121A07F6-F505-4C47-86BF-9BB6CC7B6C19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.23\",\"matchCriteriaId\":\"E00814DC-0BA7-431A-9926-80FEB4A96C68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.11\",\"matchCriteriaId\":\"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.8\",\"versionEndExcluding\":\"6.8.2\",\"matchCriteriaId\":\"543A75FF-25B8-4046-A514-1EA8EDD87AB1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:13.698Z\"}}, {\"affected\": [{\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"x_adpType\": \"supplier\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\"}], \"providerMetadata\": {\"orgId\": \"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\", \"shortName\": \"siemens-SADP\", \"dateUpdated\": \"2026-05-12T11:49:36.248Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26859\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-23T14:02:31.556726Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-05T15:20:38.074Z\"}}], \"cna\": {\"title\": \"net/bnx2x: Prevent access to a freed page in page_pool\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"7bcc090c81116c66936a7415f2c6b1483a4bcfd9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"4f37d3a7e004bbf560c21441ca9c022168017ec4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"8eebff95ce9558be66a36aa7cfb43223f3ab4699\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"cf7d8cba639ae792a42c2a137b495eac262ac36c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"c51f8b6930db3f259b8820b589f2459d2df3fc68\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"44f9f1abb0ecc43023225ab9539167facbabf0ec\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4cace675d687ebd2d813e90af80ff87ee85202f9\", \"lessThan\": \"d27e2da94a42655861ca4baea30c8cd65546f25d\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.2\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.311\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.273\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.214\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.153\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.83\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.23\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9\"}, {\"url\": \"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4\"}, {\"url\": \"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699\"}, {\"url\": \"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598\"}, {\"url\": \"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c\"}, {\"url\": \"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb\"}, {\"url\": \"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68\"}, {\"url\": \"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec\"}, {\"url\": \"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/bnx2x: Prevent access to a freed page in page_pool\\n\\nFix race condition leading to system crash during EEH error handling\\n\\nDuring EEH error recovery, the bnx2x driver\u0027s transmit timeout logic\\ncould cause a race condition when handling reset tasks. The\\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\\noverlap with the EEH driver\u0027s attempt to reset the device using\\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\\ncondition can result in system crashes due to accessing freed memory\\nlocations in bnx2x_free_rx_sge()\\n\\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\\n800\\t\\t\\t\\tstruct bnx2x_fastpath *fp, u16 index)\\n801  {\\n802\\tstruct sw_rx_page *sw_buf = \u0026fp-\u003erx_page_ring[index];\\n803     struct page *page = sw_buf-\u003epage;\\n....\\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\\nby the preceding thread.\\n\\n    EEH: Beginning: \u0027slot_reset\u0027\\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x-\u003eslot_reset()\\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\\n    bnx2x 0011:01:00.0: enabling device (0140 -\u003e 0142)\\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --\u003e driver unload\\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\\n    Faulting instruction address: 0xc0080000025065fc\\n    Oops: Kernel access of bad area, sig: 11 [#1]\\n    .....\\n    Call Trace:\\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\\n\\nTo solve this issue, we need to verify page pool allocations before\\nfreeing.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.311\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.273\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.214\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.153\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.83\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.23\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.11\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.2\", \"versionStartIncluding\": \"4.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"4.2\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:05:30.893Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26859\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T11:49:36.248Z\", \"dateReserved\": \"2024-02-19T14:20:24.183Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-17T10:27:23.709Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.