CVE-2024-26598 (GCVE-0-2024-26598)

Vulnerability from cvelistv5 – Published: 2024-02-23 14:46 – Updated: 2025-05-04 08:51
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d04acadb6490aa3314f9c9e087691e55de153b88 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba7be666740847d967822bed15500656b26bc703 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 12c2759ab1343c124ed46ba48f27bd1ef5d2dff4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dba788e25f05209adf2b0175eb1691dc89fb1ba6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 65b201bf3e9af1b0254243a5881390eda56f72d1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd3956a1b3dd11f46488c928cb890d6937d1ca80 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ad362fe07fecf0aba839ff2cc59a3617bd42c33f (git)
Create a notification for this product.
    Linux Linux Unaffected: 5.4.269 , ≤ 5.4.* (semver)
Unaffected: 5.10.209 , ≤ 5.10.* (semver)
Unaffected: 5.15.148 , ≤ 5.15.* (semver)
Unaffected: 6.1.75 , ≤ 6.1.* (semver)
Unaffected: 6.6.14 , ≤ 6.6.* (semver)
Unaffected: 6.7.2 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:19.689Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "d04acadb6490",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "ba7be6667408",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "12c2759ab134",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "dba788e25f05",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "65b201bf3e9a",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "dd3956a1b3dd",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "ad362fe07fec",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "5.5",
                "status": "unaffected",
                "version": "5.4.269",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "5.11",
                "status": "unaffected",
                "version": "5.10.209",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "5.16",
                "status": "unaffected",
                "version": "5.15.148",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "6.2",
                "status": "unaffected",
                "version": "6.1.75",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "6.7",
                "status": "unaffected",
                "version": "6.6.14",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "6.8",
                "status": "unaffected",
                "version": "6.7.2",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "*",
                "status": "unaffected",
                "version": "6.8",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-26598",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T16:15:47.782832Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T16:16:01.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kvm/vgic/vgic-its.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d04acadb6490aa3314f9c9e087691e55de153b88",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ba7be666740847d967822bed15500656b26bc703",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "12c2759ab1343c124ed46ba48f27bd1ef5d2dff4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dba788e25f05209adf2b0175eb1691dc89fb1ba6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "65b201bf3e9af1b0254243a5881390eda56f72d1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dd3956a1b3dd11f46488c928cb890d6937d1ca80",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ad362fe07fecf0aba839ff2cc59a3617bd42c33f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kvm/vgic/vgic-its.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.269",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.269",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.209",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:51:55.492Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"
        },
        {
          "url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"
        },
        {
          "url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"
        },
        {
          "url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"
        }
      ],
      "title": "KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26598",
    "datePublished": "2024-02-23T14:46:26.672Z",
    "dateReserved": "2024-02-19T14:20:24.128Z",
    "dateUpdated": "2025-05-04T08:51:55.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.4\", \"versionEndExcluding\": \"5.4.269\", \"matchCriteriaId\": \"E2B90340-A8CC-4956-9F40-F37195011EC7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.5\", \"versionEndExcluding\": \"5.10.209\", \"matchCriteriaId\": \"74979A03-4B10-4815-AE3E-C8C0D2FDAA39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11\", \"versionEndExcluding\": \"5.15.148\", \"matchCriteriaId\": \"2ED0CDB9-61B0-408E-B2A8-5199107F7868\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.16\", \"versionEndExcluding\": \"6.1.75\", \"matchCriteriaId\": \"070D0ED3-90D0-4F95-B1FF-57D7F46F332D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.2\", \"versionEndExcluding\": \"6.6.14\", \"matchCriteriaId\": \"5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.7.2\", \"matchCriteriaId\": \"7229C448-E0C9-488B-8939-36BA5254065E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\\n\\nThere is a potential UAF scenario in the case of an LPI translation\\ncache hit racing with an operation that invalidates the cache, such\\nas a DISCARD ITS command. The root of the problem is that\\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\\nbefore dropping the lock that serializes refcount changes.\\n\\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\\nand add the corresponding decrement after queueing the interrupt.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: vgic-its: Evite posibles UAF en la cach\\u00e9 de traducci\\u00f3n LPI. Existe un escenario potencial de UAF en el caso de que un cach\\u00e9 de traducci\\u00f3n LPI se acelere con una operaci\\u00f3n que invalide la cach\\u00e9, como un comando DISCARD ITS. La ra\\u00edz del problema es que vgic_its_check_cache() no eleva el refcount en vgic_irq antes de eliminar el bloqueo que serializa los cambios de refcount. Haga que vgic_its_check_cache() aumente el refcount en el vgic_irq devuelto y agregue el decremento correspondiente despu\\u00e9s de poner en cola la interrupci\\u00f3n.\"}]",
      "id": "CVE-2024-26598",
      "lastModified": "2024-11-21T09:02:37.617",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2024-02-23T15:15:09.610",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26598\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-23T15:15:09.610\",\"lastModified\":\"2024-11-21T09:02:37.617\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\\n\\nThere is a potential UAF scenario in the case of an LPI translation\\ncache hit racing with an operation that invalidates the cache, such\\nas a DISCARD ITS command. The root of the problem is that\\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\\nbefore dropping the lock that serializes refcount changes.\\n\\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\\nand add the corresponding decrement after queueing the interrupt.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: vgic-its: Evite posibles UAF en la cach\u00e9 de traducci\u00f3n LPI. Existe un escenario potencial de UAF en el caso de que un cach\u00e9 de traducci\u00f3n LPI se acelere con una operaci\u00f3n que invalide la cach\u00e9, como un comando DISCARD ITS. La ra\u00edz del problema es que vgic_its_check_cache() no eleva el refcount en vgic_irq antes de eliminar el bloqueo que serializa los cambios de refcount. Haga que vgic_its_check_cache() aumente el refcount en el vgic_irq devuelto y agregue el decremento correspondiente despu\u00e9s de poner en cola la interrupci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4\",\"versionEndExcluding\":\"5.4.269\",\"matchCriteriaId\":\"E2B90340-A8CC-4956-9F40-F37195011EC7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.209\",\"matchCriteriaId\":\"74979A03-4B10-4815-AE3E-C8C0D2FDAA39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.148\",\"matchCriteriaId\":\"2ED0CDB9-61B0-408E-B2A8-5199107F7868\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.75\",\"matchCriteriaId\":\"070D0ED3-90D0-4F95-B1FF-57D7F46F332D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.14\",\"matchCriteriaId\":\"5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.2\",\"matchCriteriaId\":\"7229C448-E0C9-488B-8939-36BA5254065E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:07:19.689Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26598\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T16:15:47.782832Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\"], \"vendor\": \"linux\", \"product\": \"linux_kernel\", \"versions\": [{\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"d04acadb6490\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"ba7be6667408\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"12c2759ab134\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"dba788e25f05\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"65b201bf3e9a\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"dd3956a1b3dd\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f4\", \"lessThan\": \"ad362fe07fec\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"5.4.269\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.5\"}, {\"status\": \"unaffected\", \"version\": \"5.10.209\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.11\"}, {\"status\": \"unaffected\", \"version\": \"5.15.148\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.16\"}, {\"status\": \"unaffected\", \"version\": \"6.1.75\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.2\"}, {\"status\": \"unaffected\", \"version\": \"6.6.14\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.7\"}, {\"status\": \"unaffected\", \"version\": \"6.7.2\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.8\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"*\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-07T15:34:11.687Z\"}}], \"cna\": {\"title\": \"KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"d04acadb6490aa3314f9c9e087691e55de153b88\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"ba7be666740847d967822bed15500656b26bc703\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"dba788e25f05209adf2b0175eb1691dc89fb1ba6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"65b201bf3e9af1b0254243a5881390eda56f72d1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"dd3956a1b3dd11f46488c928cb890d6937d1ca80\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"ad362fe07fecf0aba839ff2cc59a3617bd42c33f\", \"versionType\": \"git\"}], \"programFiles\": [\"arch/arm64/kvm/vgic/vgic-its.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"5.4.269\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.209\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.148\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.75\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"arch/arm64/kvm/vgic/vgic-its.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88\"}, {\"url\": \"https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703\"}, {\"url\": \"https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4\"}, {\"url\": \"https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6\"}, {\"url\": \"https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1\"}, {\"url\": \"https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80\"}, {\"url\": \"https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\\n\\nThere is a potential UAF scenario in the case of an LPI translation\\ncache hit racing with an operation that invalidates the cache, such\\nas a DISCARD ITS command. The root of the problem is that\\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\\nbefore dropping the lock that serializes refcount changes.\\n\\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\\nand add the corresponding decrement after queueing the interrupt.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.269\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.209\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.148\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.75\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.14\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.2\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T08:51:55.492Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26598\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T08:51:55.492Z\", \"dateReserved\": \"2024-02-19T14:20:24.128Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-23T14:46:26.672Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.