cvelistv5 - cve-2024-27398

cve-2024-27398

Vulnerability from cvelistv5

Published

2024-05-13 10:22

Modified

2024-09-12 16:02

Severity ?

Summary

Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

References

▼	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/

Impacted products

▼	Vendor	Product
	Linux	Linux
	Linux	Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27398",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T15:29:55.290790Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T15:30:07.351Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-12T16:02:58.862Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20240912-0012/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/sco.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b33d55fb735",
              "status": "affected",
              "version": "48669c81a656",
              "versionType": "git"
            },
            {
              "lessThan": "3212afd00e3c",
              "status": "affected",
              "version": "37d7ae2b0578",
              "versionType": "git"
            },
            {
              "lessThan": "33a6e92161a7",
              "status": "affected",
              "version": "a1073aad497d",
              "versionType": "git"
            },
            {
              "lessThan": "6a18eeb1b3bb",
              "status": "affected",
              "version": "ba316be1b6a0",
              "versionType": "git"
            },
            {
              "lessThan": "bfab2c1f7940",
              "status": "affected",
              "version": "ba316be1b6a0",
              "versionType": "git"
            },
            {
              "lessThan": "012363cb1bec",
              "status": "affected",
              "version": "ba316be1b6a0",
              "versionType": "git"
            },
            {
              "lessThan": "50c2037fc28d",
              "status": "affected",
              "version": "ba316be1b6a0",
              "versionType": "git"
            },
            {
              "lessThan": "483bc0818182",
              "status": "affected",
              "version": "ba316be1b6a0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/sco.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.314",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.276",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.217",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.159",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.91",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.31",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  \u003cTASK\u003e\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  \u003c/TASK\u003e\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T05:28:24.756Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249"
        },
        {
          "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014"
        },
        {
          "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93"
        },
        {
          "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178"
        },
        {
          "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
        }
      ],
      "title": "Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout",
      "x_generator": {
        "engine": "bippy-a5840b7849dd"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-27398",
    "datePublished": "2024-05-13T10:22:26.624Z",
    "dateReserved": "2024-02-25T13:47:42.681Z",
    "dateUpdated": "2024-09-12T16:02:58.862Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27398\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-14T15:12:28.623\",\"lastModified\":\"2024-06-27T14:15:13.337\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\\n\\nWhen the sco connection is established and then, the sco socket\\nis releasing, timeout_work will be scheduled to judge whether\\nthe sco disconnection is timeout. The sock will be deallocated\\nlater, but it is dereferenced again in sco_sock_timeout. As a\\nresult, the use-after-free bugs will happen. The root cause is\\nshown below:\\n\\n    Cleanup Thread               |      Worker Thread\\nsco_sock_release                 |\\n  sco_sock_close                 |\\n    __sco_sock_close             |\\n      sco_sock_set_timer         |\\n        schedule_delayed_work    |\\n  sco_sock_kill                  |    (wait a time)\\n    sock_put(sk) //FREE          |  sco_sock_timeout\\n                                 |    sock_hold(sk) //USE\\n\\nThe KASAN report triggered by POC is shown below:\\n\\n[   95.890016] ==================================================================\\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\\n...\\n[   95.890755] Workqueue: events sco_sock_timeout\\n[   95.890755] Call Trace:\\n[   95.890755]  \u003cTASK\u003e\\n[   95.890755]  dump_stack_lvl+0x45/0x110\\n[   95.890755]  print_address_description+0x78/0x390\\n[   95.890755]  print_report+0x11b/0x250\\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\\n[   95.890755]  kasan_report+0x139/0x170\\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\\n[   95.890755]  process_one_work+0x561/0xc50\\n[   95.890755]  worker_thread+0xab2/0x13c0\\n[   95.890755]  ? pr_cont_work+0x490/0x490\\n[   95.890755]  kthread+0x279/0x300\\n[   95.890755]  ? pr_cont_work+0x490/0x490\\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\\n[   95.890755]  ret_from_fork+0x34/0x60\\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\\n[   95.890755]  ret_from_fork_asm+0x11/0x20\\n[   95.890755]  \u003c/TASK\u003e\\n[   95.890755]\\n[   95.890755] Allocated by task 506:\\n[   95.890755]  kasan_save_track+0x3f/0x70\\n[   95.890755]  __kasan_kmalloc+0x86/0x90\\n[   95.890755]  __kmalloc+0x17f/0x360\\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\\n[   95.890755]  sk_alloc+0x31/0x4e0\\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\\n[   95.890755]  sco_sock_create+0xad/0x320\\n[   95.890755]  bt_sock_create+0x145/0x320\\n[   95.890755]  __sock_create+0x2e1/0x650\\n[   95.890755]  __sys_socket+0xd0/0x280\\n[   95.890755]  __x64_sys_socket+0x75/0x80\\n[   95.890755]  do_syscall_64+0xc4/0x1b0\\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[   95.890755]\\n[   95.890755] Freed by task 506:\\n[   95.890755]  kasan_save_track+0x3f/0x70\\n[   95.890755]  kasan_save_free_info+0x40/0x50\\n[   95.890755]  poison_slab_object+0x118/0x180\\n[   95.890755]  __kasan_slab_free+0x12/0x30\\n[   95.890755]  kfree+0xb2/0x240\\n[   95.890755]  __sk_destruct+0x317/0x410\\n[   95.890755]  sco_sock_release+0x232/0x280\\n[   95.890755]  sock_close+0xb2/0x210\\n[   95.890755]  __fput+0x37f/0x770\\n[   95.890755]  task_work_run+0x1ae/0x210\\n[   95.890755]  get_signal+0xe17/0xf70\\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\\n[   95.890755]  do_syscall_64+0xd1/0x1b0\\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\\n[   95.890755]\\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\\n[   95.890755] The buggy address is located 128 bytes inside of\\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\\n[   95.890755]\\n[   95.890755] The buggy address belongs to the physical page:\\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\\n[   95.890755] ano\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: corrige errores de use-after-free causados por sco_sock_timeout Cuando se establece la conexi\u00f3n con sco y luego se libera el socket de sco, se programar\u00e1 timeout_work para juzgar si la desconexi\u00f3n de sco es se acab\u00f3 el tiempo. El calcet\u00edn se desasignar\u00e1 m\u00e1s tarde, pero se eliminar\u00e1 la referencia nuevamente en sco_sock_timeout. Como resultado, se producir\u00e1n errores de use-after-free. La causa ra\u00edz se muestra a continuaci\u00f3n: Hilo de limpieza | Hilo de trabajo sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | horario_trabajo_retrasado | sco_sock_kill | (espera un momento) sock_put(sk) //GRATIS | sco_sock_timeout | sock_hold(sk) //USE El informe KASAN activado por POC se muestra a continuaci\u00f3n: [ 95.890016] =============================== ==================================== [95.890496] ERROR: KASAN: uso de losa despu\u00e9s de la liberaci\u00f3n en sco_sock_timeout+0x5e/0x1c0 [95.890755] Escritura de tama\u00f1o 4 en la direcci\u00f3n ffff88800c388080 por tarea kworker/0:0/7... [95.890755] Cola de trabajo: eventos sco_sock_timeout [95.890755] Seguimiento de llamadas: [95.890755] [95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [95.890755]? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [95.890755]? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Process_one_work+0x561/0xc50 [ 95.890755] hilo+0xab2/0x13c0 [95.890755]? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755]? kthread_blkcg+0xa0/0xa0 [95.890755] ret_from_fork+0x34/0x60 [95.890755]? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755]  [ 95.890755] [ 95.890755] Asignado por la tarea 506: [ 95.890755] /0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ sco_s ock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+ 0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Liberado por la tarea 506: [ 95.890755] kasan_save_track +0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] veneno_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] 0x240 [95.890755] __sk_destruct+0x317/0x410 [95.890755] sco_sock_release+0x232 /0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.8 90755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] Entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] La direcci\u00f3n con errores pertenece al objeto en ffff88800c388000 [ 95.89 0755] que pertenece al cach\u00e9 kmalloc-1k de tama\u00f1o 1024 [ 95.890755] El buggy La direcci\u00f3n se encuentra a 128 bytes dentro de [95.890755] regi\u00f3n liberada de 1024 bytes [ffff88800c388000, ffff88800c388400) [95.890755] [95.890755] La direcci\u00f3n con errores pertenece a la p\u00e1gina f\u00edsica: [95.890755] p\u00e1gina: refcount:1 mapcount:0 mapeo: 0000000000000000 \u00edndice :0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: orden:3 entero_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] a\u00f1o ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

ghsa-45cm-4v3w-5jpw

Vulnerability from github

Published

2024-05-14 15:32

Modified

2024-06-27 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below:

Cleanup Thread               |      Worker Thread

The KASAN report triggered by POC is shown below:

[ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-27398"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:12:28Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n    Cleanup Thread               |      Worker Thread\nsco_sock_release                 |\n  sco_sock_close                 |\n    __sco_sock_close             |\n      sco_sock_set_timer         |\n        schedule_delayed_work    |\n  sco_sock_kill                  |    (wait a time)\n    sock_put(sk) //FREE          |  sco_sock_timeout\n                                 |    sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[   95.890016] ==================================================================\n[   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[   95.890755] Workqueue: events sco_sock_timeout\n[   95.890755] Call Trace:\n[   95.890755]  \u003cTASK\u003e\n[   95.890755]  dump_stack_lvl+0x45/0x110\n[   95.890755]  print_address_description+0x78/0x390\n[   95.890755]  print_report+0x11b/0x250\n[   95.890755]  ? __virt_addr_valid+0xbe/0xf0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_report+0x139/0x170\n[   95.890755]  ? update_load_avg+0xe5/0x9f0\n[   95.890755]  ? sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  kasan_check_range+0x2c3/0x2e0\n[   95.890755]  sco_sock_timeout+0x5e/0x1c0\n[   95.890755]  process_one_work+0x561/0xc50\n[   95.890755]  worker_thread+0xab2/0x13c0\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  kthread+0x279/0x300\n[   95.890755]  ? pr_cont_work+0x490/0x490\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork+0x34/0x60\n[   95.890755]  ? kthread_blkcg+0xa0/0xa0\n[   95.890755]  ret_from_fork_asm+0x11/0x20\n[   95.890755]  \u003c/TASK\u003e\n[   95.890755]\n[   95.890755] Allocated by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  __kasan_kmalloc+0x86/0x90\n[   95.890755]  __kmalloc+0x17f/0x360\n[   95.890755]  sk_prot_alloc+0xe1/0x1a0\n[   95.890755]  sk_alloc+0x31/0x4e0\n[   95.890755]  bt_sock_alloc+0x2b/0x2a0\n[   95.890755]  sco_sock_create+0xad/0x320\n[   95.890755]  bt_sock_create+0x145/0x320\n[   95.890755]  __sock_create+0x2e1/0x650\n[   95.890755]  __sys_socket+0xd0/0x280\n[   95.890755]  __x64_sys_socket+0x75/0x80\n[   95.890755]  do_syscall_64+0xc4/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] Freed by task 506:\n[   95.890755]  kasan_save_track+0x3f/0x70\n[   95.890755]  kasan_save_free_info+0x40/0x50\n[   95.890755]  poison_slab_object+0x118/0x180\n[   95.890755]  __kasan_slab_free+0x12/0x30\n[   95.890755]  kfree+0xb2/0x240\n[   95.890755]  __sk_destruct+0x317/0x410\n[   95.890755]  sco_sock_release+0x232/0x280\n[   95.890755]  sock_close+0xb2/0x210\n[   95.890755]  __fput+0x37f/0x770\n[   95.890755]  task_work_run+0x1ae/0x210\n[   95.890755]  get_signal+0xe17/0xf70\n[   95.890755]  arch_do_signal_or_restart+0x3f/0x520\n[   95.890755]  syscall_exit_to_user_mode+0x55/0x120\n[   95.890755]  do_syscall_64+0xd1/0x1b0\n[   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[   95.890755]\n[   95.890755] The buggy address belongs to the object at ffff88800c388000\n[   95.890755]  which belongs to the cache kmalloc-1k of size 1024\n[   95.890755] The buggy address is located 128 bytes inside of\n[   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[   95.890755]\n[   95.890755] The buggy address belongs to the physical page:\n[   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[   95.890755] ano\n---truncated---",
  "id": "GHSA-45cm-4v3w-5jpw",
  "modified": "2024-06-27T15:30:38Z",
  "published": "2024-05-14T15:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

gsd-2024-27398

Vulnerability from gsd

Modified

2024-02-26 06:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-27398

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-27398"
      ],
      "id": "GSD-2024-27398",
      "modified": "2024-02-26T06:02:26.732390Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-27398",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

wid-sec-w-2024-1108

Vulnerability from csaf_certbund

Published

2024-05-13 22:00

Modified

2024-07-22 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder einen nicht näher spezifizierten Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1108 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1108.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1108 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1108"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announce vom 2024-05-13",
        "url": "https://lore.kernel.org/linux-cve-announce/2024051300-CVE-2024-27399-afa8@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announce vom 2024-05-13",
        "url": "https://lore.kernel.org/linux-cve-announce/2024051307-CVE-2023-52655-3f94@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announce vom 2024-05-13",
        "url": "https://lore.kernel.org/linux-cve-announce/2024051317-CVE-2024-27400-3b00@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announce vom 2024-05-13",
        "url": "https://lore.kernel.org/linux-cve-announce/2024051338-CVE-2023-52656-6545@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announce vom 2024-05-13",
        "url": "https://lore.kernel.org/linux-cve-announce/2024051341-CVE-2024-27401-e31d@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announce vom 2024-05-13",
        "url": "https://lore.kernel.org/linux-cve-announce/2024051355-CVE-2024-27398-08ef@gregkh/T/"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-88ABD103C8 vom 2024-05-18",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-88abd103c8"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-49FCF86F58 vom 2024-05-18",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-49fcf86f58"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2024-92664AE6FE vom 2024-05-18",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-92664ae6fe"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5703 vom 2024-06-02",
        "url": "https://lists.debian.org/debian-security-announce/2024/msg00113.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6821-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6821-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6820-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6820-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6821-2 vom 2024-06-10",
        "url": "https://ubuntu.com/security/notices/USN-6821-2"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1979-1 vom 2024-06-11",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018685.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1983-1 vom 2024-06-11",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018700.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6820-2 vom 2024-06-11",
        "url": "https://ubuntu.com/security/notices/USN-6820-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6821-3 vom 2024-06-11",
        "url": "https://ubuntu.com/security/notices/USN-6821-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6828-1 vom 2024-06-11",
        "url": "https://ubuntu.com/security/notices/USN-6828-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2011-1 vom 2024-06-12",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018710.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2010-1 vom 2024-06-12",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018711.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2008-1 vom 2024-06-12",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018706.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6821-4 vom 2024-06-14",
        "url": "https://ubuntu.com/security/notices/USN-6821-4"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2135-1 vom 2024-06-21",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018783.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2185-1 vom 2024-06-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018809.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2184-1 vom 2024-06-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018807.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2183-1 vom 2024-06-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018808.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2189-1 vom 2024-06-25",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018811.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2190-1 vom 2024-06-25",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018819.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3842 vom 2024-06-25",
        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3843 vom 2024-06-27",
        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3840 vom 2024-06-27",
        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6871-1 vom 2024-07-04",
        "url": "https://ubuntu.com/security/notices/USN-6871-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2360-1 vom 2024-07-09",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018907.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2381-1 vom 2024-07-10",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018916.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6892-1 vom 2024-07-10",
        "url": "https://ubuntu.com/security/notices/USN-6892-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-1 vom 2024-07-12",
        "url": "https://ubuntu.com/security/notices/USN-6896-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-2 vom 2024-07-16",
        "url": "https://ubuntu.com/security/notices/USN-6896-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-3 vom 2024-07-17",
        "url": "https://ubuntu.com/security/notices/USN-6896-3"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2561-1 vom 2024-07-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019001.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-4 vom 2024-07-19",
        "url": "https://ubuntu.com/security/notices/USN-6896-4"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2571-1 vom 2024-07-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/019019.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6896-5 vom 2024-07-23",
        "url": "https://ubuntu.com/security/notices/USN-6896-5"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-07-22T22:00:00.000+00:00",
      "generator": {
        "date": "2024-07-23T10:38:56.899+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2024-1108",
      "initial_release_date": "2024-05-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-05-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-05-20T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2024-06-02T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-06-09T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-10T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-11T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE und Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-12T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-16T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-23T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-24T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-25T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE und Debian aufgenommen"
        },
        {
          "date": "2024-06-26T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-06-27T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-07-03T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-09T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-10T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-14T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-16T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-17T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-18T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-07-22T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "21"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T034715",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-52655",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Bluetooth, USB und anderen aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Null-Zeiger-Dereferenz oder einem Use-after-free-Problem. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder weitere nicht spezifizierte Angriffe durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T034715",
          "T000126",
          "74185"
        ]
      },
      "release_date": "2024-05-13T22:00:00Z",
      "title": "CVE-2023-52655"
    },
    {
      "cve": "CVE-2023-52656",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Bluetooth, USB und anderen aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Null-Zeiger-Dereferenz oder einem Use-after-free-Problem. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder weitere nicht spezifizierte Angriffe durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T034715",
          "T000126",
          "74185"
        ]
      },
      "release_date": "2024-05-13T22:00:00Z",
      "title": "CVE-2023-52656"
    },
    {
      "cve": "CVE-2024-27398",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Bluetooth, USB und anderen aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Null-Zeiger-Dereferenz oder einem Use-after-free-Problem. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder weitere nicht spezifizierte Angriffe durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T034715",
          "T000126",
          "74185"
        ]
      },
      "release_date": "2024-05-13T22:00:00Z",
      "title": "CVE-2024-27398"
    },
    {
      "cve": "CVE-2024-27399",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Bluetooth, USB und anderen aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Null-Zeiger-Dereferenz oder einem Use-after-free-Problem. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder weitere nicht spezifizierte Angriffe durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T034715",
          "T000126",
          "74185"
        ]
      },
      "release_date": "2024-05-13T22:00:00Z",
      "title": "CVE-2024-27399"
    },
    {
      "cve": "CVE-2024-27400",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Bluetooth, USB und anderen aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Null-Zeiger-Dereferenz oder einem Use-after-free-Problem. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder weitere nicht spezifizierte Angriffe durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T034715",
          "T000126",
          "74185"
        ]
      },
      "release_date": "2024-05-13T22:00:00Z",
      "title": "CVE-2024-27400"
    },
    {
      "cve": "CVE-2024-27401",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler bestehen in mehreren Komponenten und Subsystemen wie Bluetooth, USB und anderen aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Null-Zeiger-Dereferenz oder einem Use-after-free-Problem. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder weitere nicht spezifizierte Angriffe durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T034715",
          "T000126",
          "74185"
        ]
      },
      "release_date": "2024-05-13T22:00:00Z",
      "title": "CVE-2024-27401"
    }
  ]
}

Action not permitted

cve-2024-27398

Vulnerability from cvelistv5

ghsa-45cm-4v3w-5jpw

Vulnerability from github

gsd-2024-27398

Vulnerability from gsd

wid-sec-w-2024-1108

Vulnerability from csaf_certbund

Tags