Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2024:8870
Vulnerability from osv_almalinux
Published
2024-11-05 00:00
Modified
2024-11-06 09:52
Summary
Moderate: kernel-rt security update
Details
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- kernel: net/bluetooth: race condition in conn_info_{min,max}_age_set() (CVE-2024-24857)
- kernel: dmaengine: fix NULL pointer in channel unregistration function (CVE-2023-52492)
- kernel: netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851)
- kernel: netfilter: nft_set_pipapo: do not free live element (CVE-2024-26924)
- kernel: netfilter: nft_set_pipapo: walk over current view on netlink dump (CVE-2024-27017)
- kernel: KVM: Always flush async #PF workqueue when vCPU is being destroyed (CVE-2024-26976)
- kernel: nouveau: lock the client object tree. (CVE-2024-27062)
- kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839)
- kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (CVE-2024-35898)
- kernel: dma-direct: Leak pages on dma_set_decrypted() failure (CVE-2024-35939)
- kernel: net/mlx5e: Fix netif state handling (CVE-2024-38608)
- kernel: r8169: Fix possible ring buffer corruption on fragmented Tx packets. (CVE-2024-38586)
- kernel: of: module: add buffer overflow check in of_modalias() (CVE-2024-38541)
- kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)
- kernel: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type (CVE-2024-39503)
- kernel: drm/i915/dpt: Make DPT object unshrinkable (CVE-2024-40924)
- kernel: ipv6: prevent possible NULL deref in fib6_nh_init() (CVE-2024-40961)
- kernel: tipc: force a dst refcount before doing decryption (CVE-2024-40983)
- kernel: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." (CVE-2024-40984)
- kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)
- kernel: bpf: Fix overrunning reservations in ringbuf (CVE-2024-41009)
- kernel: netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)
- kernel: ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066)
- kernel: drm/i915/gt: Fix potential UAF by revoke of fence registers (CVE-2024-41092)
- kernel: drm/amdgpu: avoid using null object of framebuffer (CVE-2024-41093)
- kernel: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070)
- kernel: gfs2: Fix NULL pointer dereference in gfs2_log_flush (CVE-2024-42079)
- kernel: USB: serial: mos7840: fix crash on resume (CVE-2024-42244)
- kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284)
- kernel: kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292)
- kernel: dev/parport: fix the array out-of-bounds risk (CVE-2024-42301)
- kernel: block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854)
- kernel: mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880)
- kernel: gso: do not skip outer ip header in case of ipip and net_failover (CVE-2022-48936)
- kernel: padata: Fix possible divide-by-0 panic in padata_mt_helper() (CVE-2024-43889)
- kernel: memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892)
- kernel: sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935)
- kernel: bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989)
- kernel: bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990)
- kernel: netfilter: flowtable: initialise extack before use (CVE-2024-45018)
- kernel: ELF: fix kernel.randomize_va_space double read (CVE-2024-46826)
- kernel: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (CVE-2024-47668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.27.1.rt7.368.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. \n\nSecurity Fix(es): \n\n * kernel: net/bluetooth: race condition in conn_info_{min,max}_age_set() (CVE-2024-24857)\n * kernel: dmaengine: fix NULL pointer in channel unregistration function (CVE-2023-52492)\n * kernel: netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851)\n * kernel: netfilter: nft_set_pipapo: do not free live element (CVE-2024-26924)\n * kernel: netfilter: nft_set_pipapo: walk over current view on netlink dump (CVE-2024-27017)\n * kernel: KVM: Always flush async #PF workqueue when vCPU is being destroyed (CVE-2024-26976)\n * kernel: nouveau: lock the client object tree. (CVE-2024-27062)\n * kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839)\n * kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (CVE-2024-35898)\n * kernel: dma-direct: Leak pages on dma_set_decrypted() failure (CVE-2024-35939)\n * kernel: net/mlx5e: Fix netif state handling (CVE-2024-38608)\n * kernel: r8169: Fix possible ring buffer corruption on fragmented Tx packets. (CVE-2024-38586)\n * kernel: of: module: add buffer overflow check in of_modalias() (CVE-2024-38541)\n * kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)\n * kernel: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type (CVE-2024-39503)\n * kernel: drm/i915/dpt: Make DPT object unshrinkable (CVE-2024-40924)\n * kernel: ipv6: prevent possible NULL deref in fib6_nh_init() (CVE-2024-40961)\n * kernel: tipc: force a dst refcount before doing decryption (CVE-2024-40983)\n * kernel: ACPICA: Revert \u0026#34;ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\u0026#34; (CVE-2024-40984)\n * kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)\n * kernel: bpf: Fix overrunning reservations in ringbuf (CVE-2024-41009)\n * kernel: netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)\n * kernel: ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066)\n * kernel: drm/i915/gt: Fix potential UAF by revoke of fence registers (CVE-2024-41092)\n * kernel: drm/amdgpu: avoid using null object of framebuffer (CVE-2024-41093)\n * kernel: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070)\n * kernel: gfs2: Fix NULL pointer dereference in gfs2_log_flush (CVE-2024-42079)\n * kernel: USB: serial: mos7840: fix crash on resume (CVE-2024-42244)\n * kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284)\n * kernel: kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292)\n * kernel: dev/parport: fix the array out-of-bounds risk (CVE-2024-42301)\n * kernel: block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854)\n * kernel: mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880)\n * kernel: gso: do not skip outer ip header in case of ipip and net_failover (CVE-2022-48936)\n * kernel: padata: Fix possible divide-by-0 panic in padata_mt_helper() (CVE-2024-43889)\n * kernel: memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892)\n * kernel: sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935)\n * kernel: bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989)\n * kernel: bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990)\n * kernel: netfilter: flowtable: initialise extack before use (CVE-2024-45018)\n * kernel: ELF: fix kernel.randomize_va_space double read (CVE-2024-46826)\n * kernel: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (CVE-2024-47668)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2024:8870",
"modified": "2024-11-06T09:52:31Z",
"published": "2024-11-05T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:8870"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-48773"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-48936"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-52492"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-24857"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26851"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26924"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-26976"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-27017"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-27062"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35839"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35898"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-35939"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-38540"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-38541"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-38586"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-38608"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-39503"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-40924"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-40961"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-40983"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-40984"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-41009"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-41042"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-41066"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-41092"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-41093"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-42070"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-42079"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-42244"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-42284"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-42292"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-42301"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-43854"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-43880"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-43889"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-43892"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-44935"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-44989"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-44990"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-45018"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-46826"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-47668"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2266247"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2269183"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2275750"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2277168"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2278262"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2278350"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2278387"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281284"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281669"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2281817"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2293356"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2293402"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2293458"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2293459"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2297475"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2297508"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2297545"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2297567"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2297568"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2298109"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2298412"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2300412"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2300442"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2300487"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2300488"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2300508"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2300517"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2307862"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2307865"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2307892"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2309852"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2309853"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2311715"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2315178"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2317601"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2024-8870.html"
}
],
"related": [
"CVE-2024-24857",
"CVE-2023-52492",
"CVE-2024-26851",
"CVE-2024-26924",
"CVE-2024-27017",
"CVE-2024-26976",
"CVE-2024-27062",
"CVE-2024-35839",
"CVE-2024-35898",
"CVE-2024-35939",
"CVE-2024-38608",
"CVE-2024-38586",
"CVE-2024-38541",
"CVE-2024-38540",
"CVE-2024-39503",
"CVE-2024-40924",
"CVE-2024-40961",
"CVE-2024-40983",
"CVE-2024-40984",
"CVE-2022-48773",
"CVE-2024-41009",
"CVE-2024-41042",
"CVE-2024-41066",
"CVE-2024-41092",
"CVE-2024-41093",
"CVE-2024-42070",
"CVE-2024-42079",
"CVE-2024-42244",
"CVE-2024-42284",
"CVE-2024-42292",
"CVE-2024-42301",
"CVE-2024-43854",
"CVE-2024-43880",
"CVE-2022-48936",
"CVE-2024-43889",
"CVE-2024-43892",
"CVE-2024-44935",
"CVE-2024-44989",
"CVE-2024-44990",
"CVE-2024-45018",
"CVE-2024-46826",
"CVE-2024-47668"
],
"summary": "Moderate: kernel-rt security update"
}
CVE-2024-40924 (GCVE-0-2024-40924)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:25 – Updated: 2026-05-11 20:22
VLAI
EPSS
Title
drm/i915/dpt: Make DPT object unshrinkable
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/dpt: Make DPT object unshrinkable
In some scenarios, the DPT object gets shrunk but
the actual framebuffer did not and thus its still
there on the DPT's vm->bound_list. Then it tries to
rewrite the PTEs via a stale CPU mapping. This causes panic.
[vsyrjala: Add TODO comment]
(cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c)
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0dc987b699ce4266450d407d6d79d41eab88c5d0 , < 327280149066f0e5f2e50356b5823f76dabfe86e
(git)
Affected: 0dc987b699ce4266450d407d6d79d41eab88c5d0 , < 7a9883be3b98673333eec65c4a21cc18e60292eb (git) Affected: 0dc987b699ce4266450d407d6d79d41eab88c5d0 , < a2552020fb714ff357182c3c179abfac2289f84d (git) Affected: 0dc987b699ce4266450d407d6d79d41eab88c5d0 , < 43e2b37e2ab660c3565d4cff27922bc70e79c3f1 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.95 , ≤ 6.1.* (semver) Unaffected: 6.6.35 , ≤ 6.6.* (semver) Unaffected: 6.9.6 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:57:53.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/327280149066f0e5f2e50356b5823f76dabfe86e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7a9883be3b98673333eec65c4a21cc18e60292eb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a2552020fb714ff357182c3c179abfac2289f84d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/43e2b37e2ab660c3565d4cff27922bc70e79c3f1"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:05:20.923051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:03.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_object.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "327280149066f0e5f2e50356b5823f76dabfe86e",
"status": "affected",
"version": "0dc987b699ce4266450d407d6d79d41eab88c5d0",
"versionType": "git"
},
{
"lessThan": "7a9883be3b98673333eec65c4a21cc18e60292eb",
"status": "affected",
"version": "0dc987b699ce4266450d407d6d79d41eab88c5d0",
"versionType": "git"
},
{
"lessThan": "a2552020fb714ff357182c3c179abfac2289f84d",
"status": "affected",
"version": "0dc987b699ce4266450d407d6d79d41eab88c5d0",
"versionType": "git"
},
{
"lessThan": "43e2b37e2ab660c3565d4cff27922bc70e79c3f1",
"status": "affected",
"version": "0dc987b699ce4266450d407d6d79d41eab88c5d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_object.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.95",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.35",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.6",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/dpt: Make DPT object unshrinkable\n\nIn some scenarios, the DPT object gets shrunk but\nthe actual framebuffer did not and thus its still\nthere on the DPT\u0027s vm-\u003ebound_list. Then it tries to\nrewrite the PTEs via a stale CPU mapping. This causes panic.\n\n[vsyrjala: Add TODO comment]\n(cherry picked from commit 51064d471c53dcc8eddd2333c3f1c1d9131ba36c)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:22:28.155Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/327280149066f0e5f2e50356b5823f76dabfe86e"
},
{
"url": "https://git.kernel.org/stable/c/7a9883be3b98673333eec65c4a21cc18e60292eb"
},
{
"url": "https://git.kernel.org/stable/c/a2552020fb714ff357182c3c179abfac2289f84d"
},
{
"url": "https://git.kernel.org/stable/c/43e2b37e2ab660c3565d4cff27922bc70e79c3f1"
}
],
"title": "drm/i915/dpt: Make DPT object unshrinkable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40924",
"datePublished": "2024-07-12T12:25:04.991Z",
"dateReserved": "2024-07-12T12:17:45.582Z",
"dateUpdated": "2026-05-11T20:22:28.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-40961 (GCVE-0-2024-40961)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:32 – Updated: 2026-05-12 11:55
VLAI
EPSS
Title
ipv6: prevent possible NULL deref in fib6_nh_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent possible NULL deref in fib6_nh_init()
syzbot reminds us that in6_dev_get() can return NULL.
fib6_nh_init()
ip6_validate_gw( &idev )
ip6_route_check_nh( idev )
*idev = in6_dev_get(dev); // can be NULL
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
sock_do_ioctl+0x158/0x460 net/socket.c:1222
sock_ioctl+0x629/0x8e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f940f07cea9
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/3200ffeec4d59aad5… | |
| https://git.kernel.org/stable/c/de5ad4d45cd0128a2… | |
| https://git.kernel.org/stable/c/4cdfe813015d5a245… | |
| https://git.kernel.org/stable/c/88b9a55e2e35ea846… | |
| https://git.kernel.org/stable/c/b6947723c9eabcab5… | |
| https://git.kernel.org/stable/c/ae8d3d39efe366c21… | |
| https://git.kernel.org/stable/c/2eab4543a2204092c… | |
| https://lists.debian.org/debian-lts-announce/2025… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
428604fb118facce1309670779a35baf27ad044c , < 3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade
(git)
Affected: 428604fb118facce1309670779a35baf27ad044c , < de5ad4d45cd0128a2a37555f48ab69aa19d78adc (git) Affected: 428604fb118facce1309670779a35baf27ad044c , < 4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668 (git) Affected: 428604fb118facce1309670779a35baf27ad044c , < 88b9a55e2e35ea846d41f4efdc29d23345bd1aa4 (git) Affected: 428604fb118facce1309670779a35baf27ad044c , < b6947723c9eabcab58cfb33cdb0a565a6aee6727 (git) Affected: 428604fb118facce1309670779a35baf27ad044c , < ae8d3d39efe366c2198f530e01e4bf07830bf403 (git) Affected: 428604fb118facce1309670779a35baf27ad044c , < 2eab4543a2204092c3a7af81d7d6c506e59a03a6 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 5.4.279 , ≤ 5.4.* (semver) Unaffected: 5.10.221 , ≤ 5.10.* (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.96 , ≤ 6.1.* (semver) Unaffected: 6.6.36 , ≤ 6.6.* (semver) Unaffected: 6.9.7 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | RUGGEDCOM RST2428P |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:58:27.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:03:26.191957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:23.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:55:59.038Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
},
{
"lessThan": "de5ad4d45cd0128a2a37555f48ab69aa19d78adc",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
},
{
"lessThan": "4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
},
{
"lessThan": "88b9a55e2e35ea846d41f4efdc29d23345bd1aa4",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
},
{
"lessThan": "b6947723c9eabcab58cfb33cdb0a565a6aee6727",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
},
{
"lessThan": "ae8d3d39efe366c2198f530e01e4bf07830bf403",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
},
{
"lessThan": "2eab4543a2204092c3a7af81d7d6c506e59a03a6",
"status": "affected",
"version": "428604fb118facce1309670779a35baf27ad044c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.279",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.96",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n ip6_validate_gw( \u0026idev )\n ip6_route_check_nh( idev )\n *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 \u003c42\u003e 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n sock_do_ioctl+0x158/0x460 net/socket.c:1222\n sock_ioctl+0x629/0x8e0 net/socket.c:1341\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:23:11.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade"
},
{
"url": "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc"
},
{
"url": "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668"
},
{
"url": "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4"
},
{
"url": "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727"
},
{
"url": "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403"
},
{
"url": "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6"
}
],
"title": "ipv6: prevent possible NULL deref in fib6_nh_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40961",
"datePublished": "2024-07-12T12:32:02.654Z",
"dateReserved": "2024-07-12T12:17:45.594Z",
"dateUpdated": "2026-05-12T11:55:59.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-40983 (GCVE-0-2024-40983)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:33 – Updated: 2026-05-11 20:23
VLAI
EPSS
Title
tipc: force a dst refcount before doing decryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: force a dst refcount before doing decryption
As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before
entering the xfrm type handlers"):
"Crypto requests might return asynchronous. In this case we leave the
rcu protected region, so force a refcount on the skb's destination
entry before we enter the xfrm type input/output handlers."
On TIPC decryption path it has the same problem, and skb_dst_force()
should be called before doing decryption to avoid a possible crash.
Shuang reported this issue when this warning is triggered:
[] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]
[] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug
[] Workqueue: crypto cryptd_queue_worker
[] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]
[] Call Trace:
[] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]
[] tipc_rcv+0xcf5/0x1060 [tipc]
[] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]
[] cryptd_aead_crypt+0xdb/0x190
[] cryptd_queue_worker+0xed/0x190
[] process_one_work+0x93d/0x17e0
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/3eb1b39627892c4e2… | |
| https://git.kernel.org/stable/c/692803b39a36e63ac… | |
| https://git.kernel.org/stable/c/623c90d86a61e3780… | |
| https://git.kernel.org/stable/c/b57a4a2dc8746cea5… | |
| https://git.kernel.org/stable/c/6808b41371670c51f… | |
| https://git.kernel.org/stable/c/2ebe8f840c7450ecb… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 3eb1b39627892c4e26cb0162b75725aa5fcc60c8
(git)
Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 692803b39a36e63ac73208e0a3769ae6a2f9bc76 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 623c90d86a61e3780f682b32928af469c66ec4c2 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < b57a4a2dc8746cea58a922ebe31b6aa629d69d93 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 6808b41371670c51feea14f63ade211e78100930 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 2ebe8f840c7450ecbfca9d18ac92e9ce9155e269 (git) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 5.10.221 , ≤ 5.10.* (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.96 , ≤ 6.1.* (semver) Unaffected: 6.6.36 , ≤ 6.6.* (semver) Unaffected: 6.9.7 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:58:47.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:02:13.493957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:21.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/node.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3eb1b39627892c4e26cb0162b75725aa5fcc60c8",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "692803b39a36e63ac73208e0a3769ae6a2f9bc76",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "623c90d86a61e3780f682b32928af469c66ec4c2",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "b57a4a2dc8746cea58a922ebe31b6aa629d69d93",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "6808b41371670c51feea14f63ade211e78100930",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "2ebe8f840c7450ecbfca9d18ac92e9ce9155e269",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/node.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.96",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: force a dst refcount before doing decryption\n\nAs it says in commit 3bc07321ccc2 (\"xfrm: Force a dst refcount before\nentering the xfrm type handlers\"):\n\n\"Crypto requests might return asynchronous. In this case we leave the\n rcu protected region, so force a refcount on the skb\u0027s destination\n entry before we enter the xfrm type input/output handlers.\"\n\nOn TIPC decryption path it has the same problem, and skb_dst_force()\nshould be called before doing decryption to avoid a possible crash.\n\nShuang reported this issue when this warning is triggered:\n\n [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug\n [] Workqueue: crypto cryptd_queue_worker\n [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]\n [] Call Trace:\n [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]\n [] tipc_rcv+0xcf5/0x1060 [tipc]\n [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]\n [] cryptd_aead_crypt+0xdb/0x190\n [] cryptd_queue_worker+0xed/0x190\n [] process_one_work+0x93d/0x17e0"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:23:36.695Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3eb1b39627892c4e26cb0162b75725aa5fcc60c8"
},
{
"url": "https://git.kernel.org/stable/c/692803b39a36e63ac73208e0a3769ae6a2f9bc76"
},
{
"url": "https://git.kernel.org/stable/c/623c90d86a61e3780f682b32928af469c66ec4c2"
},
{
"url": "https://git.kernel.org/stable/c/b57a4a2dc8746cea58a922ebe31b6aa629d69d93"
},
{
"url": "https://git.kernel.org/stable/c/6808b41371670c51feea14f63ade211e78100930"
},
{
"url": "https://git.kernel.org/stable/c/2ebe8f840c7450ecbfca9d18ac92e9ce9155e269"
}
],
"title": "tipc: force a dst refcount before doing decryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40983",
"datePublished": "2024-07-12T12:33:57.263Z",
"dateReserved": "2024-07-12T12:17:45.604Z",
"dateUpdated": "2026-05-11T20:23:36.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-40984 (GCVE-0-2024-40984)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:33 – Updated: 2026-05-12 11:56
VLAI
EPSS
Title
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
Undo the modifications made in commit d410ee5109a1 ("ACPICA: avoid
"Info: mapping multiple BARs. Your kernel is fine.""). The initial
purpose of this commit was to stop memory mappings for operation
regions from overlapping page boundaries, as it can trigger warnings
if different page attributes are present.
However, it was found that when this situation arises, mapping
continues until the boundary's end, but there is still an attempt to
read/write the entire length of the map, leading to a NULL pointer
deference. For example, if a four-byte mapping request is made but
only one byte is mapped because it hits the current page boundary's
end, a four-byte read/write attempt is still made, resulting in a NULL
pointer deference.
Instead, map the entire length, as the ACPI specification does not
mandate that it must be within the same page boundary. It is
permissible for it to be mapped across different regions.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/435ecc978c3d5d0c4… | |
| https://git.kernel.org/stable/c/ae465109d82f4fb03… | |
| https://git.kernel.org/stable/c/6eca23100e9030725… | |
| https://git.kernel.org/stable/c/dc5017c57f5eee800… | |
| https://git.kernel.org/stable/c/ddc1f5f124479360a… | |
| https://git.kernel.org/stable/c/434c6b924e1f4c219… | |
| https://git.kernel.org/stable/c/e21a4c9129c72fa54… | |
| https://git.kernel.org/stable/c/a83e1385b780d4130… | |
| https://lists.debian.org/debian-lts-announce/2025… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d410ee5109a1633a686a5663c6743a92e1181f9b , < 435ecc978c3d5d0c4e172ec5b956dc1904061d98
(git)
Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < ae465109d82f4fb03c5adbe85f2d6a6a3d59124c (git) Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < 6eca23100e9030725f69c1babacd58803f29ec8d (git) Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f (git) Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < ddc1f5f124479360a1fd43f73be950781d172239 (git) Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < 434c6b924e1f4c219aab2d9e05fe79c5364e37d3 (git) Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < e21a4c9129c72fa54dd00f5ebf71219b41d43c04 (git) Affected: d410ee5109a1633a686a5663c6743a92e1181f9b , < a83e1385b780d41307433ddbc86e3c528db031f0 (git) |
|
| Linux | Linux |
Affected:
2.6.32
Unaffected: 0 , < 2.6.32 (semver) Unaffected: 4.19.317 , ≤ 4.19.* (semver) Unaffected: 5.4.279 , ≤ 5.4.* (semver) Unaffected: 5.10.221 , ≤ 5.10.* (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.96 , ≤ 6.1.* (semver) Unaffected: 6.6.36 , ≤ 6.6.* (semver) Unaffected: 6.9.7 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | RUGGEDCOM RST2428P |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:58:49.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:02:10.333733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:21.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:56:04.534Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/exregion.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "435ecc978c3d5d0c4e172ec5b956dc1904061d98",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "ae465109d82f4fb03c5adbe85f2d6a6a3d59124c",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "6eca23100e9030725f69c1babacd58803f29ec8d",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "ddc1f5f124479360a1fd43f73be950781d172239",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "434c6b924e1f4c219aab2d9e05fe79c5364e37d3",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "e21a4c9129c72fa54dd00f5ebf71219b41d43c04",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
},
{
"lessThan": "a83e1385b780d41307433ddbc86e3c528db031f0",
"status": "affected",
"version": "d410ee5109a1633a686a5663c6743a92e1181f9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/exregion.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.317",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.317",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.279",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.96",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"\n\nUndo the modifications made in commit d410ee5109a1 (\"ACPICA: avoid\n\"Info: mapping multiple BARs. Your kernel is fine.\"\"). The initial\npurpose of this commit was to stop memory mappings for operation\nregions from overlapping page boundaries, as it can trigger warnings\nif different page attributes are present.\n\nHowever, it was found that when this situation arises, mapping\ncontinues until the boundary\u0027s end, but there is still an attempt to\nread/write the entire length of the map, leading to a NULL pointer\ndeference. For example, if a four-byte mapping request is made but\nonly one byte is mapped because it hits the current page boundary\u0027s\nend, a four-byte read/write attempt is still made, resulting in a NULL\npointer deference.\n\nInstead, map the entire length, as the ACPI specification does not\nmandate that it must be within the same page boundary. It is\npermissible for it to be mapped across different regions."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:23:37.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/435ecc978c3d5d0c4e172ec5b956dc1904061d98"
},
{
"url": "https://git.kernel.org/stable/c/ae465109d82f4fb03c5adbe85f2d6a6a3d59124c"
},
{
"url": "https://git.kernel.org/stable/c/6eca23100e9030725f69c1babacd58803f29ec8d"
},
{
"url": "https://git.kernel.org/stable/c/dc5017c57f5eee80020c73ff8b67ba7f9fd08b1f"
},
{
"url": "https://git.kernel.org/stable/c/ddc1f5f124479360a1fd43f73be950781d172239"
},
{
"url": "https://git.kernel.org/stable/c/434c6b924e1f4c219aab2d9e05fe79c5364e37d3"
},
{
"url": "https://git.kernel.org/stable/c/e21a4c9129c72fa54dd00f5ebf71219b41d43c04"
},
{
"url": "https://git.kernel.org/stable/c/a83e1385b780d41307433ddbc86e3c528db031f0"
}
],
"title": "ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine.\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40984",
"datePublished": "2024-07-12T12:33:57.947Z",
"dateReserved": "2024-07-12T12:17:45.604Z",
"dateUpdated": "2026-05-12T11:56:04.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41009 (GCVE-0-2024-41009)
Vulnerability from cvelistv5 – Published: 2024-07-17 06:10 – Updated: 2026-05-11 20:24
VLAI
EPSS
Title
bpf: Fix overrunning reservations in ringbuf
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix overrunning reservations in ringbuf
The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.
Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.
One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.
Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.
For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.
Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/be35504b959f2749b… | |
| https://git.kernel.org/stable/c/0f98f40eb1ed52af8… | |
| https://git.kernel.org/stable/c/d1b9df0435bc61e0b… | |
| https://git.kernel.org/stable/c/511804ab701c0503b… | |
| https://git.kernel.org/stable/c/47416c852f2a04d34… | |
| https://git.kernel.org/stable/c/cfa1a2329a691ffd9… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
457f44363a8894135c85b7a9afd2bd8196db24ab , < be35504b959f2749bab280f4671e8df96dcf836f
(git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 0f98f40eb1ed52af8b81f61901b6c0289ff59de4 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < d1b9df0435bc61e0b44f578846516df8ef476686 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 511804ab701c0503b72eac08217eabfd366ba069 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 47416c852f2a04d348ea66ee451cbdcf8119f225 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < cfa1a2329a691ffd991fcf7248a57d752e712881 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.223 , ≤ 5.10.* (semver) Unaffected: 5.15.164 , ≤ 5.15.* (semver) Unaffected: 6.1.97 , ≤ 6.1.* (semver) Unaffected: 6.6.37 , ≤ 6.6.* (semver) Unaffected: 6.9.8 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:59:13.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:25:12.740807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:06.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be35504b959f2749bab280f4671e8df96dcf836f",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "0f98f40eb1ed52af8b81f61901b6c0289ff59de4",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "d1b9df0435bc61e0b44f578846516df8ef476686",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "511804ab701c0503b72eac08217eabfd366ba069",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "47416c852f2a04d348ea66ee451cbdcf8119f225",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "cfa1a2329a691ffd991fcf7248a57d752e712881",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.223",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.164",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk\u0027s\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos \u003e rb-\u003emask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A\u0027s header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header\u0027s pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A\u0027s header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We\u0027ve tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:24:16.044Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f"
},
{
"url": "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4"
},
{
"url": "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686"
},
{
"url": "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069"
},
{
"url": "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225"
},
{
"url": "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881"
}
],
"title": "bpf: Fix overrunning reservations in ringbuf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41009",
"datePublished": "2024-07-17T06:10:11.351Z",
"dateReserved": "2024-07-12T12:17:45.610Z",
"dateUpdated": "2026-05-11T20:24:16.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41042 (GCVE-0-2024-41042)
Vulnerability from cvelistv5 – Published: 2024-07-29 14:31 – Updated: 2026-05-11 20:25
VLAI
EPSS
Title
netfilter: nf_tables: prefer nft_chain_validate
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: prefer nft_chain_validate
nft_chain_validate already performs loop detection because a cycle will
result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).
It also follows maps via ->validate callback in nft_lookup, so there
appears no reason to iterate the maps again.
nf_tables_check_loops() and all its helper functions can be removed.
This improves ruleset load time significantly, from 23s down to 12s.
This also fixes a crash bug. Old loop detection code can result in
unbounded recursion:
BUG: TASK stack guard page was hit at ....
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN
CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1
[..]
with a suitable ruleset during validation of register stores.
I can't see any actual reason to attempt to check for this from
nft_validate_register_store(), at this point the transaction is still in
progress, so we don't have a full picture of the rule graph.
For nf-next it might make sense to either remove it or make this depend
on table->validate_state in case we could catch an error earlier
(for improved error reporting to userspace).
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/1947e4c3346faa8ac… | |
| https://git.kernel.org/stable/c/cd4348e0a50286282… | |
| https://git.kernel.org/stable/c/31c35f9f89ef585f1… | |
| https://git.kernel.org/stable/c/8246b7466c8da49d0… | |
| https://git.kernel.org/stable/c/b6b6e430470e1c3c5… | |
| https://git.kernel.org/stable/c/717c91c6ed73e248d… | |
| https://git.kernel.org/stable/c/9df785aeb7dcc8efd… | |
| https://git.kernel.org/stable/c/cff3bd012a9512ac5… | |
| https://lists.debian.org/debian-lts-announce/2025… | |
| https://lists.debian.org/debian-lts-announce/2024… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
20a69341f2d00cd042e81c82289fba8a13c05a25 , < 1947e4c3346faa8ac7e343652c0fd3b3e394202f
(git)
Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < cd4348e0a50286282c314ad6d2b0740e7c812c24 (git) Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < 31c35f9f89ef585f1edb53e17ac73a0ca4a9712b (git) Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < 8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e (git) Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < b6b6e430470e1c3c5513311cb35a15a205595abe (git) Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < 717c91c6ed73e248de6a15bc53adefb81446c9d0 (git) Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < 9df785aeb7dcc8efd1d4110bb27d26005298ebae (git) Affected: 20a69341f2d00cd042e81c82289fba8a13c05a25 , < cff3bd012a9512ac5ed858d38e6ed65f6391008c (git) |
|
| Linux | Linux |
Affected:
3.13
Unaffected: 0 , < 3.13 (semver) Unaffected: 4.19.320 , ≤ 4.19.* (semver) Unaffected: 5.4.282 , ≤ 5.4.* (semver) Unaffected: 5.10.224 , ≤ 5.10.* (semver) Unaffected: 5.15.165 , ≤ 5.15.* (semver) Unaffected: 6.1.105 , ≤ 6.1.* (semver) Unaffected: 6.6.46 , ≤ 6.6.* (semver) Unaffected: 6.9.10 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:59:42.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:23:10.425038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:02.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1947e4c3346faa8ac7e343652c0fd3b3e394202f",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "cd4348e0a50286282c314ad6d2b0740e7c812c24",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "31c35f9f89ef585f1edb53e17ac73a0ca4a9712b",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "b6b6e430470e1c3c5513311cb35a15a205595abe",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "717c91c6ed73e248de6a15bc53adefb81446c9d0",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "9df785aeb7dcc8efd1d4110bb27d26005298ebae",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
},
{
"lessThan": "cff3bd012a9512ac5ed858d38e6ed65f6391008c",
"status": "affected",
"version": "20a69341f2d00cd042e81c82289fba8a13c05a25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.282",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.224",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.320",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.282",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.224",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.165",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.105",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.46",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx-\u003elevel \u003e= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via -\u003evalidate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can\u0027t see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don\u0027t have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table-\u003evalidate_state in case we could catch an error earlier\n(for improved error reporting to userspace)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:25:02.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f"
},
{
"url": "https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24"
},
{
"url": "https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b"
},
{
"url": "https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e"
},
{
"url": "https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe"
},
{
"url": "https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0"
},
{
"url": "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae"
},
{
"url": "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c"
}
],
"title": "netfilter: nf_tables: prefer nft_chain_validate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41042",
"datePublished": "2024-07-29T14:31:55.530Z",
"dateReserved": "2024-07-12T12:17:45.624Z",
"dateUpdated": "2026-05-11T20:25:02.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41066 (GCVE-0-2024-41066)
Vulnerability from cvelistv5 – Published: 2024-07-29 14:57 – Updated: 2026-05-23 15:51
VLAI
EPSS
Title
ibmvnic: Add tx check to prevent skb leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Add tx check to prevent skb leak
Below is a summary of how the driver stores a reference to an skb during
transmit:
tx_buff[free_map[consumer_index]]->skb = new_skb;
free_map[consumer_index] = IBMVNIC_INVALID_MAP;
consumer_index ++;
Where variable data looks like this:
free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]
consumer_index^
tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null]
The driver has checks to ensure that free_map[consumer_index] pointed to
a valid index but there was no check to ensure that this index pointed
to an unused/null skb address. So, if, by some chance, our free_map and
tx_buff lists become out of sync then we were previously risking an
skb memory leak. This could then cause tcp congestion control to stop
sending packets, eventually leading to ETIMEDOUT.
Therefore, add a conditional to ensure that the skb address is null. If
not then warn the user (because this is still a bug that should be
patched) and free the old pointer to prevent memleak/tcp problems.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8 , < 16ad1557cae582e79bb82dddd612d9bdfaa11d4c
(git)
Affected: 65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8 , < 267c61c4afed0ff9a2e83462abad3f41d8ca1f06 (git) Affected: 65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8 , < e7b75def33eae61ddaad6cb616c517dc3882eb2a (git) Affected: 65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8 , < 0983d288caf984de0202c66641577b739caad561 (git) Affected: 1a64564eee05128f773930649edfdd50cbe80656 (git) Affected: 5142c39253385702a4de8f897027e1d76fc333de (git) Affected: 5.12.17 , < 5.13 (semver) Affected: 5.13.2 , < 5.14 (semver) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 6.1.101 , ≤ 6.1.* (semver) Unaffected: 6.6.42 , ≤ 6.6.* (semver) Unaffected: 6.9.11 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:00:16.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:21:52.759335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:57.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16ad1557cae582e79bb82dddd612d9bdfaa11d4c",
"status": "affected",
"version": "65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8",
"versionType": "git"
},
{
"lessThan": "267c61c4afed0ff9a2e83462abad3f41d8ca1f06",
"status": "affected",
"version": "65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8",
"versionType": "git"
},
{
"lessThan": "e7b75def33eae61ddaad6cb616c517dc3882eb2a",
"status": "affected",
"version": "65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8",
"versionType": "git"
},
{
"lessThan": "0983d288caf984de0202c66641577b739caad561",
"status": "affected",
"version": "65d6470d139a6c1655fccb5cbacbeaba8e8ad2f8",
"versionType": "git"
},
{
"status": "affected",
"version": "1a64564eee05128f773930649edfdd50cbe80656",
"versionType": "git"
},
{
"status": "affected",
"version": "5142c39253385702a4de8f897027e1d76fc333de",
"versionType": "git"
},
{
"lessThan": "5.13",
"status": "affected",
"version": "5.12.17",
"versionType": "semver"
},
{
"lessThan": "5.14",
"status": "affected",
"version": "5.13.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmvnic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.101",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.42",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]-\u003eskb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=\u003cptr\u003e, skb=\u003cptr\u003e, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:51:53.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c"
},
{
"url": "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06"
},
{
"url": "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a"
},
{
"url": "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561"
}
],
"title": "ibmvnic: Add tx check to prevent skb leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41066",
"datePublished": "2024-07-29T14:57:27.832Z",
"dateReserved": "2024-07-12T12:17:45.630Z",
"dateUpdated": "2026-05-23T15:51:53.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41092 (GCVE-0-2024-41092)
Vulnerability from cvelistv5 – Published: 2024-07-29 15:48 – Updated: 2026-05-11 20:26
VLAI
EPSS
Title
drm/i915/gt: Fix potential UAF by revoke of fence registers
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Fix potential UAF by revoke of fence registers
CI has been sporadically reporting the following issue triggered by
igt@i915_selftest@live@hangcheck on ADL-P and similar machines:
<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence
...
<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled
<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled
<3> [414.070354] Unable to pin Y-tiled fence; err:-4
<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active))
...
<4>[ 609.603992] ------------[ cut here ]------------
<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!
<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1
<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]
<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]
...
<4>[ 609.604271] Call Trace:
<4>[ 609.604273] <TASK>
...
<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]
<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]
<4>[ 609.604977] force_unbind+0x24/0xa0 [i915]
<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]
<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]
<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]
<4>[ 609.605440] process_scheduled_works+0x351/0x690
...
In the past, there were similar failures reported by CI from other IGT
tests, observed on other platforms.
Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity
before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for
idleness of vma->active via fence_update(). That commit introduced
vma->fence->active in order for the fence_update() to be able to wait
selectively on that one instead of vma->active since only idleness of
fence registers was needed. But then, another commit 0d86ee35097a
("drm/i915/gt: Make fence revocation unequivocal") replaced the call to
fence_update() in i915_vma_revoke_fence() with only fence_write(), and
also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front.
No justification was provided on why we might then expect idleness of
vma->fence->active without first waiting on it.
The issue can be potentially caused by a race among revocation of fence
registers on one side and sequential execution of signal callbacks invoked
on completion of a request that was using them on the other, still
processed in parallel to revocation of those fence registers. Fix it by
waiting for idleness of vma->fence->active in i915_vma_revoke_fence().
(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/f771b91f21c46ad12… | |
| https://git.kernel.org/stable/c/29c0fdf49078ab161… | |
| https://git.kernel.org/stable/c/ca0fabd365a27a94a… | |
| https://git.kernel.org/stable/c/06dec31a0a5112a91… | |
| https://git.kernel.org/stable/c/414f4a31f7a811008… | |
| https://git.kernel.org/stable/c/996c3412a06578e9d… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 , < f771b91f21c46ad1217328d05e72a2c7e3add535
(git)
Affected: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 , < 29c0fdf49078ab161570d3d1c6e13d66f182717d (git) Affected: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 , < ca0fabd365a27a94a36e68a7a02df8ff3c13dac6 (git) Affected: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 , < 06dec31a0a5112a91f49085e8a8fa1a82296d5c7 (git) Affected: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 , < 414f4a31f7a811008fd9a33b06216b060bad18fc (git) Affected: 0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1 , < 996c3412a06578e9d779a16b9e79ace18125ab50 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.221 , ≤ 5.10.* (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.97 , ≤ 6.1.* (semver) Unaffected: 6.6.37 , ≤ 6.6.* (semver) Unaffected: 6.9.8 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:00:49.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:20:35.535942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:56.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f771b91f21c46ad1217328d05e72a2c7e3add535",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "29c0fdf49078ab161570d3d1c6e13d66f182717d",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "ca0fabd365a27a94a36e68a7a02df8ff3c13dac6",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "06dec31a0a5112a91f49085e8a8fa1a82296d5c7",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "414f4a31f7a811008fd9a33b06216b060bad18fc",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
},
{
"lessThan": "996c3412a06578e9d779a16b9e79ace18125ab50",
"status": "affected",
"version": "0d86ee35097ae0f1c2c50f2b8035ef480e25e4f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix potential UAF by revoke of fence registers\n\nCI has been sporadically reporting the following issue triggered by\nigt@i915_selftest@live@hangcheck on ADL-P and similar machines:\n\n\u003c6\u003e [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence\n...\n\u003c6\u003e [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled\n\u003c6\u003e [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled\n\u003c3\u003e [414.070354] Unable to pin Y-tiled fence; err:-4\n\u003c3\u003e [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(\u0026fence-\u003eactive))\n...\n\u003c4\u003e[ 609.603992] ------------[ cut here ]------------\n\u003c2\u003e[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301!\n\u003c4\u003e[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n\u003c4\u003e[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1\n\u003c4\u003e[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n\u003c4\u003e[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915]\n\u003c4\u003e[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915]\n...\n\u003c4\u003e[ 609.604271] Call Trace:\n\u003c4\u003e[ 609.604273] \u003cTASK\u003e\n...\n\u003c4\u003e[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915]\n\u003c4\u003e[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915]\n\u003c4\u003e[ 609.604977] force_unbind+0x24/0xa0 [i915]\n\u003c4\u003e[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915]\n\u003c4\u003e[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915]\n\u003c4\u003e[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915]\n\u003c4\u003e[ 609.605440] process_scheduled_works+0x351/0x690\n...\n\nIn the past, there were similar failures reported by CI from other IGT\ntests, observed on other platforms.\n\nBefore commit 63baf4f3d587 (\"drm/i915/gt: Only wait for GPU activity\nbefore unbinding a GGTT fence\"), i915_vma_revoke_fence() was waiting for\nidleness of vma-\u003eactive via fence_update(). That commit introduced\nvma-\u003efence-\u003eactive in order for the fence_update() to be able to wait\nselectively on that one instead of vma-\u003eactive since only idleness of\nfence registers was needed. But then, another commit 0d86ee35097a\n(\"drm/i915/gt: Make fence revocation unequivocal\") replaced the call to\nfence_update() in i915_vma_revoke_fence() with only fence_write(), and\nalso added that GEM_BUG_ON(!i915_active_is_idle(\u0026fence-\u003eactive)) in front.\nNo justification was provided on why we might then expect idleness of\nvma-\u003efence-\u003eactive without first waiting on it.\n\nThe issue can be potentially caused by a race among revocation of fence\nregisters on one side and sequential execution of signal callbacks invoked\non completion of a request that was using them on the other, still\nprocessed in parallel to revocation of those fence registers. Fix it by\nwaiting for idleness of vma-\u003efence-\u003eactive in i915_vma_revoke_fence().\n\n(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:26:03.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f771b91f21c46ad1217328d05e72a2c7e3add535"
},
{
"url": "https://git.kernel.org/stable/c/29c0fdf49078ab161570d3d1c6e13d66f182717d"
},
{
"url": "https://git.kernel.org/stable/c/ca0fabd365a27a94a36e68a7a02df8ff3c13dac6"
},
{
"url": "https://git.kernel.org/stable/c/06dec31a0a5112a91f49085e8a8fa1a82296d5c7"
},
{
"url": "https://git.kernel.org/stable/c/414f4a31f7a811008fd9a33b06216b060bad18fc"
},
{
"url": "https://git.kernel.org/stable/c/996c3412a06578e9d779a16b9e79ace18125ab50"
}
],
"title": "drm/i915/gt: Fix potential UAF by revoke of fence registers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41092",
"datePublished": "2024-07-29T15:48:05.853Z",
"dateReserved": "2024-07-12T12:17:45.636Z",
"dateUpdated": "2026-05-11T20:26:03.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41093 (GCVE-0-2024-41093)
Vulnerability from cvelistv5 – Published: 2024-07-29 15:48 – Updated: 2026-05-11 20:26
VLAI
EPSS
Title
drm/amdgpu: avoid using null object of framebuffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid using null object of framebuffer
Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/7f35e01cb0ea4d295… | |
| https://git.kernel.org/stable/c/6ce0544cabaa60801… | |
| https://git.kernel.org/stable/c/330c8c1453848c04d… | |
| https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc4… | |
| https://git.kernel.org/stable/c/bcfa48ff785bd1213… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 6ce0544cabaa608018d5922ab404dc656a9d8447 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 330c8c1453848c04d335bad81371a66710210800 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < bcfa48ff785bd121316592b131ff6531e3e696bb (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.97 , ≤ 6.1.* (semver) Unaffected: 6.6.37 , ≤ 6.6.* (semver) Unaffected: 6.9.8 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:00:50.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:20:32.237829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:55.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "6ce0544cabaa608018d5922ab404dc656a9d8447",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "330c8c1453848c04d335bad81371a66710210800",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "bcfa48ff785bd121316592b131ff6531e3e696bb",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state-\u003efb-\u003eobj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:26:04.620Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc"
},
{
"url": "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447"
},
{
"url": "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800"
},
{
"url": "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46"
},
{
"url": "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb"
}
],
"title": "drm/amdgpu: avoid using null object of framebuffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41093",
"datePublished": "2024-07-29T15:48:06.686Z",
"dateReserved": "2024-07-12T12:17:45.636Z",
"dateUpdated": "2026-05-11T20:26:04.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-42070 (GCVE-0-2024-42070)
Vulnerability from cvelistv5 – Published: 2024-07-29 15:52 – Updated: 2026-05-12 11:56
VLAI
EPSS
Title
netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
register store validation for NFT_DATA_VALUE is conditional, however,
the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
only requires a new helper function to infer the register type from the
set datatype so this conditional check can be removed. Otherwise,
pointer to chain object can be leaked through the registers.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/40188a25a9847dbeb… | |
| https://git.kernel.org/stable/c/23752737c6a618e99… | |
| https://git.kernel.org/stable/c/5d43d789b57943720… | |
| https://git.kernel.org/stable/c/461302e07f49687ff… | |
| https://git.kernel.org/stable/c/efb27ad0594940384… | |
| https://git.kernel.org/stable/c/952bf8df222599baa… | |
| https://git.kernel.org/stable/c/41a6375d48deaf7f7… | |
| https://git.kernel.org/stable/c/7931d32955e09d0a1… | |
| https://lists.debian.org/debian-lts-announce/2025… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… | |
| https://cert-portal.siemens.com/productcert/html/… |
Impacted products
9 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
96518518cc417bb0a8c80b9fb736202e28acdf96 , < 40188a25a9847dbeb7ec67517174a835a677752f
(git)
Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < 23752737c6a618e994f9a310ec2568881a6b49c4 (git) Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < 5d43d789b57943720dca4181a05f6477362b94cf (git) Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < 461302e07f49687ffe7d105fa0a330c07c7646d8 (git) Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < efb27ad05949403848f487823b597ed67060e007 (git) Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < 952bf8df222599baadbd4f838a49c4fef81d2564 (git) Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < 41a6375d48deaf7f730304b5153848bfa1c2980f (git) Affected: 96518518cc417bb0a8c80b9fb736202e28acdf96 , < 7931d32955e09d0a11b1fe0b6aac1bfa061c005c (git) |
|
| Linux | Linux |
Affected:
3.13
Unaffected: 0 , < 3.13 (semver) Unaffected: 4.19.317 , ≤ 4.19.* (semver) Unaffected: 5.4.279 , ≤ 5.4.* (semver) Unaffected: 5.10.221 , ≤ 5.10.* (semver) Unaffected: 5.15.162 , ≤ 5.15.* (semver) Unaffected: 6.1.97 , ≤ 6.1.* (semver) Unaffected: 6.6.37 , ≤ 6.6.* (semver) Unaffected: 6.9.8 , ≤ 6.9.* (semver) Unaffected: 6.10 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:01:06.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:19:46.237204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:08.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:56:22.328Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_lookup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40188a25a9847dbeb7ec67517174a835a677752f",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "23752737c6a618e994f9a310ec2568881a6b49c4",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "5d43d789b57943720dca4181a05f6477362b94cf",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "461302e07f49687ffe7d105fa0a330c07c7646d8",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "efb27ad05949403848f487823b597ed67060e007",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "952bf8df222599baadbd4f838a49c4fef81d2564",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "41a6375d48deaf7f730304b5153848bfa1c2980f",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
},
{
"lessThan": "7931d32955e09d0a11b1fe0b6aac1bfa061c005c",
"status": "affected",
"version": "96518518cc417bb0a8c80b9fb736202e28acdf96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_lookup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.317",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.317",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.279",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers\n\nregister store validation for NFT_DATA_VALUE is conditional, however,\nthe datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This\nonly requires a new helper function to infer the register type from the\nset datatype so this conditional check can be removed. Otherwise,\npointer to chain object can be leaked through the registers."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:26:23.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f"
},
{
"url": "https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4"
},
{
"url": "https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf"
},
{
"url": "https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8"
},
{
"url": "https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007"
},
{
"url": "https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564"
},
{
"url": "https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f"
},
{
"url": "https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c"
}
],
"title": "netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42070",
"datePublished": "2024-07-29T15:52:34.061Z",
"dateReserved": "2024-07-29T15:50:41.168Z",
"dateUpdated": "2026-05-12T11:56:22.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…