csaf_certbund - wid-sec-w-2024-0632

WID-SEC-W-2024-0632

Vulnerability from csaf_certbund - Published: 2024-03-13 23:00 - Updated: 2025-04-10 22:00

Summary

Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0632 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0632.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0632 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0632"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-03-13",
        "url": "http://lore.kernel.org/linux-cve-announce/20240313140155.1913910-3-lee@kernel.org/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-03-13",
        "url": "http://lore.kernel.org/linux-cve-announce/20240313140155.1913910-4-lee@kernel.org/"
      },
      {
        "category": "external",
        "summary": "CVE Announce auf lore.kernel.org vom 2024-03-13",
        "url": "http://lore.kernel.org/linux-cve-announce/20240313155037.1968072-2-lee@kernel.org/"
      },
      {
        "category": "external",
        "summary": "RedHat Bugzilla vom 2024-03-13",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269432"
      },
      {
        "category": "external",
        "summary": "RedHat Bugzilla vom 2024-03-13",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269434"
      },
      {
        "category": "external",
        "summary": "RedHat Bugzilla vom 2024-03-13",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269436"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-03-13",
        "url": "https://github.com/advisories/GHSA-vhvr-7ww4-7fgj"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1322-1 vom 2024-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018374.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1332-1 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018376.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1322-2 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018377.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1332-2 vom 2024-04-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018378.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1466-1 vom 2024-04-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018438.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1480-1 vom 2024-04-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-April/018444.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1490-1 vom 2024-05-03",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-May/018445.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6765-1 vom 2024-05-07",
        "url": "https://ubuntu.com/security/notices/USN-6765-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6766-1 vom 2024-05-07",
        "url": "https://ubuntu.com/security/notices/USN-6766-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6766-2 vom 2024-05-15",
        "url": "https://ubuntu.com/security/notices/USN-6766-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6766-3 vom 2024-05-20",
        "url": "https://ubuntu.com/security/notices/USN-6766-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6795-1 vom 2024-05-28",
        "url": "https://ubuntu.com/security/notices/USN-6795-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6819-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6819-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6818-1 vom 2024-06-08",
        "url": "https://ubuntu.com/security/notices/USN-6818-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6818-2 vom 2024-06-10",
        "url": "https://ubuntu.com/security/notices/USN-6818-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6828-1 vom 2024-06-11",
        "url": "https://ubuntu.com/security/notices/USN-6828-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6819-2 vom 2024-06-12",
        "url": "https://ubuntu.com/security/notices/USN-6819-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6819-3 vom 2024-06-12",
        "url": "https://ubuntu.com/security/notices/USN-6819-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6818-3 vom 2024-06-14",
        "url": "https://ubuntu.com/security/notices/USN-6818-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6818-4 vom 2024-06-19",
        "url": "https://ubuntu.com/security/notices/USN-6818-4"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:2135-1 vom 2024-06-21",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018783.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6819-4 vom 2024-06-26",
        "url": "https://ubuntu.com/security/notices/USN-6819-4"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-1 vom 2024-07-15",
        "url": "https://ubuntu.com/security/notices/USN-6898-1"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5730 vom 2024-07-16",
        "url": "https://lists.debian.org/debian-security-announce/2024/msg00141.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-2 vom 2024-07-17",
        "url": "https://ubuntu.com/security/notices/USN-6898-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-3 vom 2024-07-19",
        "url": "https://ubuntu.com/security/notices/USN-6898-3"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASKERNEL-5.10-2024-064 vom 2024-07-23",
        "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-064.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6898-4 vom 2024-07-23",
        "url": "https://ubuntu.com/security/notices/USN-6898-4"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6917-1 vom 2024-07-26",
        "url": "https://ubuntu.com/security/notices/USN-6917-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6919-1 vom 2024-07-26",
        "url": "https://ubuntu.com/security/notices/USN-6919-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6927-1 vom 2024-07-30",
        "url": "https://ubuntu.com/security/notices/USN-6927-1"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2024:6567 vom 2024-09-11",
        "url": "https://access.redhat.com/errata/RHSA-2024:6567"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2024-6567 vom 2024-09-12",
        "url": "https://linux.oracle.com/errata/ELSA-2024-6567.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2024:6567 vom 2024-09-17",
        "url": "https://errata.build.resf.org/RLSA-2024:6567"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin",
        "url": "https://www.ibm.com/support/pages/node/7174634"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7179045 vom 2024-12-16",
        "url": "https://www.ibm.com/support/pages/node/7179045"
      },
      {
        "category": "external",
        "summary": "Juniper Security Advisory JSA92874 vom 2024-01-09",
        "url": "https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-Space-Multiple-vulnerabilities-resolved-in-24-1R2-release"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7181933 vom 2025-01-29",
        "url": "https://www.ibm.com/support/pages/node/7181933"
      },
      {
        "category": "external",
        "summary": "Juniper Security Bulletin",
        "url": "https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-Space-Multiple-vulnerabilities-resolved-in-24-1R2-release?language=en_US"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
    "tracking": {
      "current_release_date": "2025-04-10T22:00:00.000+00:00",
      "generator": {
        "date": "2025-04-11T08:49:52.989+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2024-0632",
      "initial_release_date": "2024-03-13T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-03-13T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-04-16T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-04-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-04-29T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-01T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-02T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-05-07T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-05-15T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-05-20T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-05-28T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-09T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-10T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-11T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-12T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-16T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-18T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-06-23T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-26T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-15T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Ubuntu und Debian aufgenommen"
        },
        {
          "date": "2024-07-17T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-18T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-22T22:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-07-28T22:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-07-30T22:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-09-10T22:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-09-11T22:00:00.000+00:00",
          "number": "26",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2024-09-16T22:00:00.000+00:00",
          "number": "27",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2024-10-31T23:00:00.000+00:00",
          "number": "28",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-12-16T23:00:00.000+00:00",
          "number": "29",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-01-08T23:00:00.000+00:00",
          "number": "30",
          "summary": "Neue Updates von Juniper aufgenommen"
        },
        {
          "date": "2025-01-29T23:00:00.000+00:00",
          "number": "31",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-10T22:00:00.000+00:00",
          "number": "32",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "32"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM InfoSphere Guardium",
            "product": {
              "name": "IBM InfoSphere Guardium",
              "product_id": "T002366",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:infosphere_guardium:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.5.0 UP10 IF01",
                "product": {
                  "name": "IBM QRadar SIEM \u003c7.5.0 UP10 IF01",
                  "product_id": "T038741"
                }
              },
              {
                "category": "product_version",
                "name": "7.5.0 UP10 IF01",
                "product": {
                  "name": "IBM QRadar SIEM 7.5.0 UP10 IF01",
                  "product_id": "T038741-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up10_if01"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.1.9.5",
                "product": {
                  "name": "IBM Storage Scale \u003c6.1.9.5",
                  "product_id": "T039851"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.9.5",
                "product": {
                  "name": "IBM Storage Scale 6.1.9.5",
                  "product_id": "T039851-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_scale:6.1.9.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.2.2.0",
                "product": {
                  "name": "IBM Storage Scale \u003c6.2.2.0",
                  "product_id": "T039852"
                }
              },
              {
                "category": "product_version",
                "name": "6.2.2.0",
                "product": {
                  "name": "IBM Storage Scale 6.2.2.0",
                  "product_id": "T039852-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spectrum_scale:6.2.2.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Storage Scale"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c24.1R2",
                "product": {
                  "name": "Juniper Junos Space \u003c24.1R2",
                  "product_id": "T040074"
                }
              },
              {
                "category": "product_version",
                "name": "24.1R2",
                "product": {
                  "name": "Juniper Junos Space 24.1R2",
                  "product_id": "T040074-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:juniper:junos_space:24.1r2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Junos Space"
          }
        ],
        "category": "vendor",
        "name": "Juniper"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T033473",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-52608",
      "product_status": {
        "known_affected": [
          "67646",
          "T004914",
          "T032255",
          "T033473",
          "T038741",
          "T039852",
          "T039851",
          "T040074",
          "2951",
          "T002207",
          "T000126",
          "T002366",
          "398363"
        ]
      },
      "release_date": "2024-03-13T23:00:00.000+00:00",
      "title": "CVE-2023-52608"
    },
    {
      "cve": "CVE-2024-26629",
      "product_status": {
        "known_affected": [
          "67646",
          "T004914",
          "T032255",
          "T033473",
          "T038741",
          "T039852",
          "T039851",
          "T040074",
          "2951",
          "T002207",
          "T000126",
          "T002366",
          "398363"
        ]
      },
      "release_date": "2024-03-13T23:00:00.000+00:00",
      "title": "CVE-2024-26629"
    },
    {
      "cve": "CVE-2024-26630",
      "product_status": {
        "known_affected": [
          "67646",
          "T004914",
          "T032255",
          "T033473",
          "T038741",
          "T039852",
          "T039851",
          "T040074",
          "2951",
          "T002207",
          "T000126",
          "T002366",
          "398363"
        ]
      },
      "release_date": "2024-03-13T23:00:00.000+00:00",
      "title": "CVE-2024-26630"
    }
  ]
}

CVE-2024-26629 (GCVE-0-2024-26629)

Vulnerability from cvelistv5 – Published: 2024-03-13 14:01 – Updated: 2025-05-04 12:54

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful. As is documented in the kdoc comment for nfsd4_release_lockowner(), the test on so_count can transiently return a false positive resulting in a return of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is clearly a protocol violation and with the Linux NFS client it can cause incorrect behaviour. If RELEASE_LOCKOWNER is sent while some other thread is still processing a LOCK request which failed because, at the time that request was received, the given owner held a conflicting lock, then the nfsd thread processing that LOCK request can hold a reference (conflock) to the lock owner that causes nfsd4_release_lockowner() to return an incorrect error. The Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it never sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so it knows that the error is impossible. It assumes the lock owner was in fact released so it feels free to use the same lock owner identifier in some later locking request. When it does reuse a lock owner identifier for which a previous RELEASE failed, it will naturally use a lock_seqid of zero. However the server, which didn't release the lock owner, will expect a larger lock_seqid and so will respond with NFS4ERR_BAD_SEQID. So clearly it is harmful to allow a false positive, which testing so_count allows. The test is nonsense because ... well... it doesn't mean anything. so_count is the sum of three different counts. 1/ the set of states listed on so_stateids 2/ the set of active vfs locks owned by any of those states 3/ various transient counts such as for conflicting locks. When it is tested against '2' it is clear that one of these is the transient reference obtained by find_lockowner_str_locked(). It is not clear what the other one is expected to be. In practice, the count is often 2 because there is precisely one state on so_stateids. If there were more, this would fail. In my testing I see two circumstances when RELEASE_LOCKOWNER is called. In one case, CLOSE is called before RELEASE_LOCKOWNER. That results in all the lock states being removed, and so the lockowner being discarded (it is removed when there are no more references which usually happens when the lock state is discarded). When nfsd4_release_lockowner() finds that the lock owner doesn't exist, it returns success. The other case shows an so_count of '2' and precisely one state listed in so_stateid. It appears that the Linux client uses a separate lock owner for each file resulting in one lock state per lock owner, so this test on '2' is safe. For another client it might not be safe. So this patch changes check_for_locks() to use the (newish) find_any_file_locked() so that it doesn't take a reference on the nfs4_file and so never calls nfsd_file_put(), and so never sleeps. With this check is it safe to restore the use of check_for_locks() rather than testing so_count against the mysterious '2'.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/99fb654d01dc3f08b…
	https://git.kernel.org/stable/c/c6f8b3fcc62725e41…
	https://git.kernel.org/stable/c/e4cf8941664cae2f8…
	https://git.kernel.org/stable/c/b7d2eee1f53899b53…
	https://git.kernel.org/stable/c/8f5b860de87039b00…
	https://git.kernel.org/stable/c/edcf9725150e42bee…

Impacted products

Vendor

Product

Version

Linux

Affected: 3097f38e91266c7132c3fdb7e778fac858c00670 , < 99fb654d01dc3f08b5905c663ad6c89a9d83302f (git)
Affected: e2fc17fcc503cfca57b5d1dd3b646ca7eebead97 , < c6f8b3fcc62725e4129f2c0fd550d022d4a7685a (git)
Affected: ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b , < e4cf8941664cae2f89f0189c29fe2ce8c6be0d03 (git)
Affected: ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b , < b7d2eee1f53899b53f069bba3a59a419fc3d331b (git)
Affected: ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b , < 8f5b860de87039b007e84a28a5eefc888154e098 (git)
Affected: ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b , < edcf9725150e42beeca42d085149f4c88fa97afd (git)
Affected: fea1d0940301378206955264a01778700fc9c16f (git)
Affected: 2ec65dc6635d1976bd1dbf2640ff7f810b2f6dd1 (git)
Affected: a2235bc65ade40982c3d09025cdd34bc539d6a69 (git)
Affected: ba747abfca27e23c42ded3912c87b70d7e16b6ab (git)
Affected: e8020d96dd5b2dcc1f6a8ee4f87a53a373002cd5 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 5.10.220 , ≤ 5.10.* (semver)
Unaffected: 5.15.154 , ≤ 5.15.* (semver)
Unaffected: 6.1.79 , ≤ 6.1.* (semver)
Unaffected: 6.6.15 , ≤ 6.6.* (semver)
Unaffected: 6.7.3 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26629",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-21T16:10:40.555857Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-21T16:10:48.664Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:19.714Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99fb654d01dc3f08b5905c663ad6c89a9d83302f",
              "status": "affected",
              "version": "3097f38e91266c7132c3fdb7e778fac858c00670",
              "versionType": "git"
            },
            {
              "lessThan": "c6f8b3fcc62725e4129f2c0fd550d022d4a7685a",
              "status": "affected",
              "version": "e2fc17fcc503cfca57b5d1dd3b646ca7eebead97",
              "versionType": "git"
            },
            {
              "lessThan": "e4cf8941664cae2f89f0189c29fe2ce8c6be0d03",
              "status": "affected",
              "version": "ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b",
              "versionType": "git"
            },
            {
              "lessThan": "b7d2eee1f53899b53f069bba3a59a419fc3d331b",
              "status": "affected",
              "version": "ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b",
              "versionType": "git"
            },
            {
              "lessThan": "8f5b860de87039b007e84a28a5eefc888154e098",
              "status": "affected",
              "version": "ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b",
              "versionType": "git"
            },
            {
              "lessThan": "edcf9725150e42beeca42d085149f4c88fa97afd",
              "status": "affected",
              "version": "ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fea1d0940301378206955264a01778700fc9c16f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2ec65dc6635d1976bd1dbf2640ff7f810b2f6dd1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a2235bc65ade40982c3d09025cdd34bc539d6a69",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ba747abfca27e23c42ded3912c87b70d7e16b6ab",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e8020d96dd5b2dcc1f6a8ee4f87a53a373002cd5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.220",
                  "versionStartIncluding": "5.10.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.154",
                  "versionStartIncluding": "5.15.45",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.79",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.15",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.317",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.282",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.197",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful.  Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held.  This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible.  It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero.  However the server,\nwhich didn\u0027t release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn\u0027t mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against \u00272\u0027 it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked().  It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids.  If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER.  That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded).  When nfsd4_release_lockowner() finds\nthat the lock owner doesn\u0027t exist, it returns success.\n\nThe other case shows an so_count of \u00272\u0027 and precisely one state listed\nin so_stateid.  It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on \u00272\u0027 is safe.  For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn\u0027t take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps.  With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious \u00272\u0027."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:54:17.239Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99fb654d01dc3f08b5905c663ad6c89a9d83302f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098"
        },
        {
          "url": "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd"
        }
      ],
      "title": "nfsd: fix RELEASE_LOCKOWNER",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26629",
    "datePublished": "2024-03-13T14:01:49.452Z",
    "dateReserved": "2024-02-19T14:20:24.135Z",
    "dateUpdated": "2025-05-04T12:54:17.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26630 (GCVE-0-2024-26630)

Vulnerability from cvelistv5 – Published: 2024-03-13 15:50 – Updated: 2025-05-04 08:52

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix folio read-after-free in cache walk In cachestat, we access the folio from the page cache's xarray to compute its page offset, and check for its dirty and writeback flags. However, we do not hold a reference to the folio before performing these actions, which means the folio can concurrently be released and reused as another folio/page/slab. Get around this altogether by just using xarray's existing machinery for the folio page offsets and dirty/writeback states. This changes behavior for tmpfs files to now always report zeroes in their dirty and writeback counters. This is okay as tmpfs doesn't follow conventional writeback cache behavior: its pages get "cleaned" during swapout, after which they're no longer resident etc.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ba60fdf75e89ea762…
	https://git.kernel.org/stable/c/fe7e008e0ce728252…
	https://git.kernel.org/stable/c/3a75cb05d53f4a682…

Impacted products

Vendor

Product

Version

Linux

Affected: cf264e1329fb0307e044f7675849f9f38b44c11a , < ba60fdf75e89ea762bb617be578dc47f27655117 (git)
Affected: cf264e1329fb0307e044f7675849f9f38b44c11a , < fe7e008e0ce728252e4ec652cceebcc62211657c (git)
Affected: cf264e1329fb0307e044f7675849f9f38b44c11a , < 3a75cb05d53f4a6823a32deb078de1366954a804 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.21 , ≤ 6.6.* (semver)
Unaffected: 6.7.9 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26630",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-13T19:45:46.313433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:39.851Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:19.749Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ba60fdf75e89ea762bb617be578dc47f27655117"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fe7e008e0ce728252e4ec652cceebcc62211657c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3a75cb05d53f4a6823a32deb078de1366954a804"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/filemap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba60fdf75e89ea762bb617be578dc47f27655117",
              "status": "affected",
              "version": "cf264e1329fb0307e044f7675849f9f38b44c11a",
              "versionType": "git"
            },
            {
              "lessThan": "fe7e008e0ce728252e4ec652cceebcc62211657c",
              "status": "affected",
              "version": "cf264e1329fb0307e044f7675849f9f38b44c11a",
              "versionType": "git"
            },
            {
              "lessThan": "3a75cb05d53f4a6823a32deb078de1366954a804",
              "status": "affected",
              "version": "cf264e1329fb0307e044f7675849f9f38b44c11a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/filemap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.21",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.9",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: cachestat: fix folio read-after-free in cache walk\n\nIn cachestat, we access the folio from the page cache\u0027s xarray to compute\nits page offset, and check for its dirty and writeback flags.  However, we\ndo not hold a reference to the folio before performing these actions,\nwhich means the folio can concurrently be released and reused as another\nfolio/page/slab.\n\nGet around this altogether by just using xarray\u0027s existing machinery for\nthe folio page offsets and dirty/writeback states.\n\nThis changes behavior for tmpfs files to now always report zeroes in their\ndirty and writeback counters.  This is okay as tmpfs doesn\u0027t follow\nconventional writeback cache behavior: its pages get \"cleaned\" during\nswapout, after which they\u0027re no longer resident etc."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:52:40.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba60fdf75e89ea762bb617be578dc47f27655117"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe7e008e0ce728252e4ec652cceebcc62211657c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a75cb05d53f4a6823a32deb078de1366954a804"
        }
      ],
      "title": "mm: cachestat: fix folio read-after-free in cache walk",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26630",
    "datePublished": "2024-03-13T15:50:32.480Z",
    "dateReserved": "2024-02-19T14:20:24.135Z",
    "dateUpdated": "2025-05-04T08:52:40.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52608 (GCVE-0-2023-52608)

Vulnerability from cvelistv5 – Published: 2024-03-13 14:01 – Updated: 2025-05-04 07:39

Summary

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Check mailbox/SMT channel for consistency On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at first and then, if the message sequence number identifies a transaction which is still pending, the related payload is fetched too. When an SCMI command times out the channel ownership remains with the platform until eventually a late reply is received and, as a consequence, any further transmission attempt remains pending, waiting for the channel to be relinquished by the platform. Once that late reply is received the channel ownership is given back to the agent and any pending request is then allowed to proceed and overwrite the SMT area of the just delivered late reply; then the wait for the reply to the new request starts. It has been observed that the spurious IRQ related to the late reply can be wrongly associated with the freshly enqueued request: when that happens the SCMI stack in-flight lookup procedure is fooled by the fact that the message header now present in the SMT area is related to the new pending transaction, even though the real reply has still to arrive. This race-condition on the A2P channel can be detected by looking at the channel status bits: a genuine reply from the platform will have set the channel free bit before triggering the completion IRQ. Add a consistency check to validate such condition in the A2P ISR.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/614cc65032dcb0b64…
	https://git.kernel.org/stable/c/7f95f6997f4fdd17a…
	https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9…
	https://git.kernel.org/stable/c/12dc4217f16551d6d…
	https://git.kernel.org/stable/c/437a310b22244d4e0…

Impacted products

Vendor

Product

Version

Linux

Affected: 5c8a47a5a91d4d6e185f758d61997613d9c5d6ac , < 614cc65032dcb0b64d23f5c5e338a8a04b12be5d (git)
Affected: 5c8a47a5a91d4d6e185f758d61997613d9c5d6ac , < 7f95f6997f4fdd17abec3200cae45420a5489350 (git)
Affected: 5c8a47a5a91d4d6e185f758d61997613d9c5d6ac , < 9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2 (git)
Affected: 5c8a47a5a91d4d6e185f758d61997613d9c5d6ac , < 12dc4217f16551d6dee9cbefc23fdb5659558cda (git)
Affected: 5c8a47a5a91d4d6e185f758d61997613d9c5d6ac , < 437a310b22244d4e0b78665c3042e5d1c0f45306 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.15.149 , ≤ 5.15.* (semver)
Unaffected: 6.1.76 , ≤ 6.1.* (semver)
Unaffected: 6.6.15 , ≤ 6.6.* (semver)
Unaffected: 6.7.3 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52608",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-06T17:50:57.700750Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T17:51:11.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.210Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_scmi/common.h",
            "drivers/firmware/arm_scmi/mailbox.c",
            "drivers/firmware/arm_scmi/shmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "614cc65032dcb0b64d23f5c5e338a8a04b12be5d",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "7f95f6997f4fdd17abec3200cae45420a5489350",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "12dc4217f16551d6dee9cbefc23fdb5659558cda",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "437a310b22244d4e0b78665c3042e5d1c0f45306",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_scmi/common.h",
            "drivers/firmware/arm_scmi/mailbox.c",
            "drivers/firmware/arm_scmi/shmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.149",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.76",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.15",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\n\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\n\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\n\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\n\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\n\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\n\nAdd a consistency check to validate such condition in the A2P ISR."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:39:47.368Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda"
        },
        {
          "url": "https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306"
        }
      ],
      "title": "firmware: arm_scmi: Check mailbox/SMT channel for consistency",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52608",
    "datePublished": "2024-03-13T14:01:48.870Z",
    "dateReserved": "2024-03-02T21:55:42.574Z",
    "dateUpdated": "2025-05-04T07:39:47.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2024-0632

CVE-2024-26629 (GCVE-0-2024-26629)

CVE-2024-26630 (GCVE-0-2024-26630)

CVE-2023-52608 (GCVE-0-2023-52608)

Tags

Sightings

Nomenclature