{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26961", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.201Z", "datePublished": "2024-05-01T05:19:16.361Z", "dateUpdated": "2025-05-04T09:00:52.446Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:00:52.446Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/cfg802154.h", "net/mac802154/llsec.c"], "versions": [{"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "068ab2759bc0b4daf0b964de61b2731449c86531", "status": "affected", "versionType": "git"}, {"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "d3d858650933d44ac12c1f31337e7110c2071821", "status": "affected", "versionType": "git"}, {"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "dcd51ab42b7a0431575689c5f74b8b6efd45fc2f", "status": "affected", "versionType": "git"}, {"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "20d3e1c8a1847497269f04d874b2a5818ec29e2d", "status": "affected", "versionType": "git"}, {"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "640297c3e897bd7e1481466a6a5cb9560f1edb88", "status": "affected", "versionType": "git"}, {"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "49c8951680d7b76fceaee89dcfbab1363fb24fd1", "status": "affected", "versionType": "git"}, {"version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "e8a1e58345cf40b7b272e08ac7b32328b2543e40", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/cfg802154.h", "net/mac802154/llsec.c"], "versions": [{"version": "3.16", "status": "affected"}, {"version": "0", "lessThan": "3.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.84", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.24", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.12", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.3", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "5.10.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "5.15.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.1.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.6.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.7.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.8.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"}, {"url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"}, {"url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"}, {"url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"}, {"url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"}, {"url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"}, {"url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"}], "title": "mac802154: fix llsec key resources release in mac802154_llsec_key_del", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-28T17:51:17.536237Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:48:15.130Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.779Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.779Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-28T17:51:17.536237Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-28T17:51:23.141Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "mac802154: fix llsec key resources release in mac802154_llsec_key_del", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "068ab2759bc0b4daf0b964de61b2731449c86531", "versionType": "git"}, {"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "d3d858650933d44ac12c1f31337e7110c2071821", "versionType": "git"}, {"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "dcd51ab42b7a0431575689c5f74b8b6efd45fc2f", "versionType": "git"}, {"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "20d3e1c8a1847497269f04d874b2a5818ec29e2d", "versionType": "git"}, {"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "640297c3e897bd7e1481466a6a5cb9560f1edb88", "versionType": "git"}, {"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "49c8951680d7b76fceaee89dcfbab1363fb24fd1", "versionType": "git"}, {"status": "affected", "version": "5d637d5aabd85132bd85779677d8acb708e0ed90", "lessThan": "e8a1e58345cf40b7b272e08ac7b32328b2543e40", "versionType": "git"}], "programFiles": ["include/net/cfg802154.h", "net/mac802154/llsec.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.16"}, {"status": "unaffected", "version": "0", "lessThan": "3.16", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.215", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.154", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.84", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.24", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.12", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.3", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/net/cfg802154.h", "net/mac802154/llsec.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"}, {"url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"}, {"url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"}, {"url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"}, {"url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"}, {"url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"}, {"url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org)."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.215", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.154", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.84", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.24", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.12", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.3", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "3.16"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:00:52.446Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26961", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:00:52.446Z", "dateReserved": "2024-02-19T14:20:24.201Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-01T05:19:16.361Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "46A56CAB-271E-4C61-8E54-08CC18E95897", "versionEndExcluding": "5.10.215", "versionStartIncluding": "3.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "834D9BD5-42A6-4D74-979E-4D6D93F630FD", "versionEndExcluding": "6.1.84", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8018C1D0-0A5F-48D0-BC72-A2B33FDDA693", "versionEndExcluding": "6.6.24", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53", "versionEndExcluding": "6.7.12", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C59BBC3-6495-4A77-9C82-55EC7CDF5E02", "versionEndExcluding": "6.8.3", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org)."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mac802154: corrige la liberaci\u00f3n de recursos de clave llsec en mac802154_llsec_key_del mac802154_llsec_key_del() puede liberar recursos de una clave directamente sin seguir las reglas de RCU para esperar antes del final de un per\u00edodo de gracia. Esto puede llevar a un use-after-free en caso de que llsec_lookup_key() est\u00e9 recorriendo la lista de claves en paralelo con una eliminaci\u00f3n de clave: refcount_t: suma en 0; use-after-free. ADVERTENCIA: CPU: 4 PID: 16000 en lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0 M\u00f3dulos vinculados en: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Nombre de hardware: PC est\u00e1ndar QEMU ( i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 01/04/2014 RIP: 0010:refcount_warn_saturate+0x162/0x2a0 Seguimiento de llamadas: llsec_lookup_key.isra.0+0x890/0x9e0 mac802154_llsec_ cifrar+ 0x30c/0x9c0 ieee802154_subif_start_xmit+0x24/0x1e0 dev_hard_start_xmit+0x13e/0x690 sch_direct_xmit+0x2ae/0xbc0 __dev_queue_xmit+0x11dd/0x3c20 dgram_sendmsg+0x90b/0xd60 __ sys_sendto+0x466/0x4c0 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x45/0xf0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 Adem\u00e1s, Las estructuras ieee802154_llsec_key_entry no son liberadas por mac802154_llsec_key_del(): objeto sin referencia 0xffff8880613b6980 (tama\u00f1o 64): comm \"iwpan\", pid 2176, jiffies 4294761134 (edad 60,475 s) volcado hexadecimal (primeros 32 bytes): 8 0d 8f 18 80 88 y siguientes y siguientes 22 01 00 00 00 00 ad de x.......\"....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ........... ..... retroceso: [] __kmem_cache_alloc_node+0x1e2/0x2d0 [] kmalloc_trace+0x25/0xc0 [] mac802154_llsec_key_add+0xac9/0xcf0 ffffffff8896e41a&gt;] ieee802154_add_llsec_key+0x5a/0x80 [] nl802154_add_llsec_key+0x426/0x5b0 [] genl_family_rcv_msg_doit+0x1fe/0x2f0 [] genl_rcv_msg+0x531/0x7d0 [] netlink_rcv_skb+0x169/0x440 [] genl_rcv+0x28/0x40 [] netlink_unicast+0x53c/0x820 [] netlink_sendmsg+0x93b/0xe60 [] ____sys_sendmsg+0xac5/0xca0 [] ___sys_sendmsg+0x11d/0 x1c0 [] __sys_sendmsg+0xfa/0x1d0 [] do_syscall_64+0x45/0xf0 [] Entry_SYSCALL_64_after_hwframe+0x6e/0x76 Maneja la liberaci\u00f3n adecuada de recursos en la funci\u00f3n de devoluci\u00f3n de llamada de RCU mac802154_llsec_key_del_rcu(). Tenga en cuenta que si llsec_lookup_key() encuentra una clave, obtiene un recuento a trav\u00e9s de llsec_key_get() y copia localmente la identificaci\u00f3n de la clave de key_entry (que es un elemento de la lista). Por lo tanto, es seguro llamar a llsec_key_put() y liberar la entrada de la lista despu\u00e9s de que transcurra el per\u00edodo de gracia de RCU. Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org)."}], "id": "CVE-2024-26961", "lastModified": "2024-12-23T13:37:44.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-01T06:15:12.437", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:5102", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5101", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.16.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5065", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.115.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5065", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.115.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5065", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.115.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:10262", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.81.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:8617", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.42.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8617", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.42.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8613", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.90.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:8614", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.90.1.rt14.375.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-30T00:00:00Z"}], "bugzilla": {"description": "kernel: mac802154: fix llsec key resources release in mac802154_llsec_key_del", "id": "2278176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278176"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-459", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n<TASK>\nllsec_lookup_key.isra.0+0x890/0x9e0\nmac802154_llsec_encrypt+0x30c/0x9c0\nieee802154_subif_start_xmit+0x24/0x1e0\ndev_hard_start_xmit+0x13e/0x690\nsch_direct_xmit+0x2ae/0xbc0\n__dev_queue_xmit+0x11dd/0x3c20\ndgram_sendmsg+0x90b/0xd60\n__sys_sendto+0x466/0x4c0\n__x64_sys_sendto+0xe0/0x1c0\ndo_syscall_64+0x45/0xf0\nentry_SYSCALL_64_after_hwframe+0x6e/0x76\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\nunreferenced object 0xffff8880613b6980 (size 64):\ncomm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\nhex dump (first 32 bytes):\n78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\nbacktrace:\n[<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n[<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n[<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n[<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n[<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n[<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n[<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n[<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n[<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n[<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n[<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n[<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n[<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n[<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n[<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n[<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\nFound by Linux Verification Center (linuxtesting.org).", "A flaw was found in the Linux Kernel where resources are improperly managed in IEEE 802.15.4 networking, leading to a potential use-after-free issue, resulting in a denial of service."], "name": "CVE-2024-26961", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26961\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26961\nhttps://lore.kernel.org/linux-cve-announce/2024050129-CVE-2024-26961-408d@gregkh/T"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-459: Incomplete Cleanup vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform's ephemeral workloads, strict lifecycle management, and automated resource cleanup routines significantly reduce the likelihood that residual data would persist in a meaningful or exploitable state. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, reducing the risk of DoS attacks. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention to detect anomalies and enforce cleanup procedures.", "threat_severity": "Moderate"}

{}