Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-56650
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: x_tables: fix LED ID check in led_tg_check()<br /> <br /> Syzbot has reported the following BUG detected by KASAN:<br /> <br /> BUG: KASAN: slab-out-of-bounds in strlen+0x58/0x70<br /> Read of size 1 at addr ffff8881022da0c8 by task repro/5879<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x241/0x360<br /> ? __pfx_dump_stack_lvl+0x10/0x10<br /> ? __pfx__printk+0x10/0x10<br /> ? _printk+0xd5/0x120<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> print_report+0x169/0x550<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __virt_addr_valid+0x45f/0x530<br /> ? __phys_addr+0xba/0x170<br /> ? strlen+0x58/0x70<br /> kasan_report+0x143/0x180<br /> ? strlen+0x58/0x70<br /> strlen+0x58/0x70<br /> kstrdup+0x20/0x80<br /> led_tg_check+0x18b/0x3c0<br /> xt_check_target+0x3bb/0xa40<br /> ? __pfx_xt_check_target+0x10/0x10<br /> ? stack_depot_save_flags+0x6e4/0x830<br /> ? nft_target_init+0x174/0xc30<br /> nft_target_init+0x82d/0xc30<br /> ? __pfx_nft_target_init+0x10/0x10<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? rcu_is_watching+0x15/0xb0<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? nf_tables_newrule+0x1609/0x2980<br /> ? __kmalloc_noprof+0x21a/0x400<br /> nf_tables_newrule+0x1860/0x2980<br /> ? __pfx_nf_tables_newrule+0x10/0x10<br /> ? __nla_parse+0x40/0x60<br /> nfnetlink_rcv+0x14e5/0x2ab0<br /> ? __pfx_validate_chain+0x10/0x10<br /> ? __pfx_nfnetlink_rcv+0x10/0x10<br /> ? __lock_acquire+0x1384/0x2050<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> ? __pfx_lock_release+0x10/0x10<br /> ? netlink_deliver_tap+0x2e/0x1b0<br /> netlink_unicast+0x7f8/0x990<br /> ? __pfx_netlink_unicast+0x10/0x10<br /> ? __virt_addr_valid+0x183/0x530<br /> ? __check_object_size+0x48e/0x900<br /> netlink_sendmsg+0x8e4/0xcb0<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> ? aa_sock_msg_perm+0x91/0x160<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> __sock_sendmsg+0x223/0x270<br /> ____sys_sendmsg+0x52a/0x7e0<br /> ? __pfx_____sys_sendmsg+0x10/0x10<br /> __sys_sendmsg+0x292/0x380<br /> ? __pfx___sys_sendmsg+0x10/0x10<br /> ? lockdep_hardirqs_on_prepare+0x43d/0x780<br /> ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10<br /> ? exc_page_fault+0x590/0x8c0<br /> ? do_syscall_64+0xb6/0x230<br /> do_syscall_64+0xf3/0x230<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> <br /> Since an invalid (without &amp;#39;\0&amp;#39; byte at all) byte sequence may be passed<br /> from userspace, add an extra check to ensure that such a sequence is<br /> rejected as possible ID and so never passed to &amp;#39;kstrdup()&amp;#39; and further.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2025

CVE-2024-56651
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: hi311x: hi3110_can_ist(): fix potential use-after-free<br /> <br /> The commit a22bd630cfff ("can: hi311x: do not report txerr and rxerr<br /> during bus-off") removed the reporting of rxerr and txerr even in case<br /> of correct operation (i. e. not bus-off).<br /> <br /> The error count information added to the CAN frame after netif_rx() is<br /> a potential use after free, since there is no guarantee that the skb<br /> is in the same state. It might be freed or reused.<br /> <br /> Fix the issue by postponing the netif_rx() call in case of txerr and<br /> rxerr reporting.
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2025

CVE-2024-56643
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp: Fix memory leak in dccp_feat_change_recv<br /> <br /> If dccp_feat_push_confirm() fails after new value for SP feature was accepted<br /> without reconciliation (&amp;#39;entry == NULL&amp;#39; branch), memory allocated for that value<br /> with dccp_feat_clone_sp_val() is never freed.<br /> <br /> Here is the kmemleak stack for this:<br /> <br /> unreferenced object 0xffff88801d4ab488 (size 8):<br /> comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s)<br /> hex dump (first 8 bytes):<br /> 01 b4 4a 1d 80 88 ff ff ..J.....<br /> backtrace:<br /> [] kmemdup+0x23/0x50 mm/util.c:128<br /> [] kmemdup include/linux/string.h:465 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline]<br /> [] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline]<br /> [] dccp_feat_change_recv net/dccp/feat.c:1145 [inline]<br /> [] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416<br /> [] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125<br /> [] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650<br /> [] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688<br /> [] sk_backlog_rcv include/net/sock.h:1041 [inline]<br /> [] __release_sock+0x139/0x3b0 net/core/sock.c:2570<br /> [] release_sock+0x54/0x1b0 net/core/sock.c:3111<br /> [] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline]<br /> [] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696<br /> [] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735<br /> [] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865<br /> [] __sys_connect+0x165/0x1a0 net/socket.c:1882<br /> [] __do_sys_connect net/socket.c:1892 [inline]<br /> [] __se_sys_connect net/socket.c:1889 [inline]<br /> [] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889<br /> [] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46<br /> [] entry_SYSCALL_64_after_hwframe+0x67/0xd1<br /> <br /> Clean up the allocated memory in case of dccp_feat_push_confirm() failure<br /> and bail out with an error reset code.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity CVSS v4.0: Pending analysis
Last modification:
17/04/2025

CVE-2024-56634
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: grgpio: Add NULL check in grgpio_probe<br /> <br /> devm_kasprintf() can return a NULL pointer on failure,but this<br /> returned value in grgpio_probe is not checked.<br /> Add NULL check in grgpio_probe, to handle kernel NULL<br /> pointer dereference error.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2025

CVE-2024-56636
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> geneve: do not assume mac header is set in geneve_xmit_skb()<br /> <br /> We should not assume mac header is set in output path.<br /> <br /> Use skb_eth_hdr() instead of eth_hdr() to fix the issue.<br /> <br /> sysbot reported the following :<br /> <br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 skb_mac_header include/linux/skbuff.h:3052 [inline]<br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 eth_hdr include/linux/if_ether.h:24 [inline]<br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit_skb drivers/net/geneve.c:898 [inline]<br /> WARNING: CPU: 0 PID: 11635 at include/linux/skbuff.h:3052 geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 11635 Comm: syz.4.1423 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:skb_mac_header include/linux/skbuff.h:3052 [inline]<br /> RIP: 0010:eth_hdr include/linux/if_ether.h:24 [inline]<br /> RIP: 0010:geneve_xmit_skb drivers/net/geneve.c:898 [inline]<br /> RIP: 0010:geneve_xmit+0x4c38/0x5730 drivers/net/geneve.c:1039<br /> Code: 21 c6 02 e9 35 d4 ff ff e8 a5 48 4c fb 90 0f 0b 90 e9 fd f5 ff ff e8 97 48 4c fb 90 0f 0b 90 e9 d8 f5 ff ff e8 89 48 4c fb 90 0b 90 e9 41 e4 ff ff e8 7b 48 4c fb 90 0f 0b 90 e9 cd e7 ff ff<br /> RSP: 0018:ffffc90003b2f870 EFLAGS: 00010283<br /> RAX: 000000000000037a RBX: 000000000000ffff RCX: ffffc9000dc3d000<br /> RDX: 0000000000080000 RSI: ffffffff86428417 RDI: 0000000000000003<br /> RBP: ffffc90003b2f9f0 R08: 0000000000000003 R09: 000000000000ffff<br /> R10: 000000000000ffff R11: 0000000000000002 R12: ffff88806603c000<br /> R13: 0000000000000000 R14: ffff8880685b2780 R15: 0000000000000e23<br /> FS: 00007fdc2deed6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000001b30a1dff8 CR3: 0000000056b8c000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __netdev_start_xmit include/linux/netdevice.h:5002 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5011 [inline]<br /> __dev_direct_xmit+0x58a/0x720 net/core/dev.c:4490<br /> dev_direct_xmit include/linux/netdevice.h:3181 [inline]<br /> packet_xmit+0x1e4/0x360 net/packet/af_packet.c:285<br /> packet_snd net/packet/af_packet.c:3146 [inline]<br /> packet_sendmsg+0x2700/0x5660 net/packet/af_packet.c:3178<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg net/socket.c:726 [inline]<br /> __sys_sendto+0x488/0x4f0 net/socket.c:2197<br /> __do_sys_sendto net/socket.c:2204 [inline]<br /> __se_sys_sendto net/socket.c:2200 [inline]<br /> __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2200<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2024

CVE-2024-56637
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ipset: Hold module reference while requesting a module<br /> <br /> User space may unload ip_set.ko while it is itself requesting a set type<br /> backend module, leading to a kernel crash. The race condition may be<br /> provoked by inserting an mdelay() right after the nfnl_unlock() call.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2024

CVE-2024-56638
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_inner: incorrect percpu area handling under softirq<br /> <br /> Softirq can interrupt ongoing packet from process context that is<br /> walking over the percpu area that contains inner header offsets.<br /> <br /> Disable bh and perform three checks before restoring the percpu inner<br /> header offsets to validate that the percpu area is valid for this<br /> skbuff:<br /> <br /> 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff<br /> has already been parsed before for inner header fetching to<br /> register.<br /> <br /> 2) Validate that the percpu area refers to this skbuff using the<br /> skbuff pointer as a cookie. If there is a cookie mismatch, then<br /> this skbuff needs to be parsed again.<br /> <br /> 3) Finally, validate if the percpu area refers to this tunnel type.<br /> <br /> Only after these three checks the percpu area is restored to a on-stack<br /> copy and bh is enabled again.<br /> <br /> After inner header fetching, the on-stack copy is stored back to the<br /> percpu area.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2024

CVE-2024-56639
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hsr: must allocate more bytes for RedBox support<br /> <br /> Blamed commit forgot to change hsr_init_skb() to allocate<br /> larger skb for RedBox case.<br /> <br /> Indeed, send_hsr_supervision_frame() will add<br /> two additional components (struct hsr_sup_tlv<br /> and struct hsr_sup_payload)<br /> <br /> syzbot reported the following crash:<br /> skbuff: skb_over_panic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:206 !<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:skb_panic+0x157/0x1d0 net/core/skbuff.c:206<br /> Code: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c<br /> RSP: 0018:ffffc90000858ab8 EFLAGS: 00010282<br /> RAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69<br /> RDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005<br /> RBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000<br /> R10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a<br /> R13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140<br /> FS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> skb_over_panic net/core/skbuff.c:211 [inline]<br /> skb_put+0x174/0x1b0 net/core/skbuff.c:2617<br /> send_hsr_supervision_frame+0x6fa/0x9e0 net/hsr/hsr_device.c:342<br /> hsr_proxy_announce+0x1a3/0x4a0 net/hsr/hsr_device.c:436<br /> call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794<br /> expire_timers kernel/time/timer.c:1845 [inline]<br /> __run_timers+0x6e8/0x930 kernel/time/timer.c:2419<br /> __run_timer_base kernel/time/timer.c:2430 [inline]<br /> __run_timer_base kernel/time/timer.c:2423 [inline]<br /> run_timer_base+0x111/0x190 kernel/time/timer.c:2439<br /> run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449<br /> handle_softirqs+0x213/0x8f0 kernel/softirq.c:554<br /> __do_softirq kernel/softirq.c:588 [inline]<br /> invoke_softirq kernel/softirq.c:428 [inline]<br /> __irq_exit_rcu kernel/softirq.c:637 [inline]<br /> irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649<br /> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]<br /> sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049<br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2024

CVE-2024-56641
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: initialize close_work early to avoid warning<br /> <br /> We encountered a warning that close_work was canceled before<br /> initialization.<br /> <br /> WARNING: CPU: 7 PID: 111103 at kernel/workqueue.c:3047 __flush_work+0x19e/0x1b0<br /> Workqueue: events smc_lgr_terminate_work [smc]<br /> RIP: 0010:__flush_work+0x19e/0x1b0<br /> Call Trace:<br /> ? __wake_up_common+0x7a/0x190<br /> ? work_busy+0x80/0x80<br /> __cancel_work_timer+0xe3/0x160<br /> smc_close_cancel_work+0x1a/0x70 [smc]<br /> smc_close_active_abort+0x207/0x360 [smc]<br /> __smc_lgr_terminate.part.38+0xc8/0x180 [smc]<br /> process_one_work+0x19e/0x340<br /> worker_thread+0x30/0x370<br /> ? process_one_work+0x340/0x340<br /> kthread+0x117/0x130<br /> ? __kthread_cancel_work+0x50/0x50<br /> ret_from_fork+0x22/0x30<br /> <br /> This is because when smc_close_cancel_work is triggered, e.g. the RDMA<br /> driver is rmmod and the LGR is terminated, the conn-&gt;close_work is<br /> flushed before initialization, resulting in WARN_ON(!work-&gt;func).<br /> <br /> __smc_lgr_terminate | smc_connect_{rdma|ism}<br /> -------------------------------------------------------------<br /> | smc_conn_create<br /> | \- smc_lgr_register_conn<br /> for conn in lgr-&gt;conns_all |<br /> \- smc_conn_kill |<br /> \- smc_close_active_abort |<br /> \- smc_close_cancel_work |<br /> \- cancel_work_sync |<br /> \- __flush_work |<br /> (close_work) |<br /> | smc_close_init<br /> | \- INIT_WORK(&amp;close_work)<br /> <br /> So fix this by initializing close_work before establishing the<br /> connection.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2024

CVE-2024-56635
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: avoid potential UAF in default_operstate()<br /> <br /> syzbot reported an UAF in default_operstate() [1]<br /> <br /> Issue is a race between device and netns dismantles.<br /> <br /> After calling __rtnl_unlock() from netdev_run_todo(),<br /> we can not assume the netns of each device is still alive.<br /> <br /> Make sure the device is not in NETREG_UNREGISTERED state,<br /> and add an ASSERT_RTNL() before the call to<br /> __dev_get_by_index().<br /> <br /> We might move this ASSERT_RTNL() in __dev_get_by_index()<br /> in the future.<br /> <br /> [1]<br /> <br /> BUG: KASAN: slab-use-after-free in __dev_get_by_index+0x5d/0x110 net/core/dev.c:852<br /> Read of size 8 at addr ffff888043eba1b0 by task syz.0.0/5339<br /> <br /> CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10296-gaaf20f870da0 #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:489<br /> kasan_report+0x143/0x180 mm/kasan/report.c:602<br /> __dev_get_by_index+0x5d/0x110 net/core/dev.c:852<br /> default_operstate net/core/link_watch.c:51 [inline]<br /> rfc2863_policy+0x224/0x300 net/core/link_watch.c:67<br /> linkwatch_do_dev+0x3e/0x170 net/core/link_watch.c:170<br /> netdev_run_todo+0x461/0x1000 net/core/dev.c:10894<br /> rtnl_unlock net/core/rtnetlink.c:152 [inline]<br /> rtnl_net_unlock include/linux/rtnetlink.h:133 [inline]<br /> rtnl_dellink+0x760/0x8d0 net/core/rtnetlink.c:3520<br /> rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911<br /> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]<br /> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347<br /> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891<br /> sock_sendmsg_nosec net/socket.c:711 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:726<br /> ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583<br /> ___sys_sendmsg net/socket.c:2637 [inline]<br /> __sys_sendmsg+0x269/0x350 net/socket.c:2669<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f2a3cb80809<br /> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f2a3d9cd058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00007f2a3cd45fa0 RCX: 00007f2a3cb80809<br /> RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000008<br /> RBP: 00007f2a3cbf393e R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 00007f2a3cd45fa0 R15: 00007ffd03bc65c8<br /> <br /> <br /> Allocated by task 5339:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314<br /> kmalloc_noprof include/linux/slab.h:901 [inline]<br /> kmalloc_array_noprof include/linux/slab.h:945 [inline]<br /> netdev_create_hash net/core/dev.c:11870 [inline]<br /> netdev_init+0x10c/0x250 net/core/dev.c:11890<br /> ops_init+0x31e/0x590 net/core/net_namespace.c:138<br /> setup_net+0x287/0x9e0 net/core/net_namespace.c:362<br /> copy_net_ns+0x33f/0x570 net/core/net_namespace.c:500<br /> create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110<br /> unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228<br /> ksys_unshare+0x57d/0xa70 kernel/fork.c:3314<br /> __do_sys_unshare kernel/fork.c:3385 [inline]<br /> __se_sys_unshare kernel/fork.c:3383 [inline]<br /> __x64_sys_unshare+0x38/0x40 kernel/fork.c:3383<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x8<br /> ---truncated---
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025

CVE-2024-56640
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix LGR and link use-after-free issue<br /> <br /> We encountered a LGR/link use-after-free issue, which manifested as<br /> the LGR/link refcnt reaching 0 early and entering the clear process,<br /> making resource access unsafe.<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140<br /> Workqueue: events smc_lgr_terminate_work [smc]<br /> Call trace:<br /> refcount_warn_saturate+0x9c/0x140<br /> __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]<br /> smc_lgr_terminate_work+0x28/0x30 [smc]<br /> process_one_work+0x1b8/0x420<br /> worker_thread+0x158/0x510<br /> kthread+0x114/0x118<br /> <br /> or<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140<br /> Workqueue: smc_hs_wq smc_listen_work [smc]<br /> Call trace:<br /> refcount_warn_saturate+0xf0/0x140<br /> smcr_link_put+0x1cc/0x1d8 [smc]<br /> smc_conn_free+0x110/0x1b0 [smc]<br /> smc_conn_abort+0x50/0x60 [smc]<br /> smc_listen_find_device+0x75c/0x790 [smc]<br /> smc_listen_work+0x368/0x8a0 [smc]<br /> process_one_work+0x1b8/0x420<br /> worker_thread+0x158/0x510<br /> kthread+0x114/0x118<br /> <br /> It is caused by repeated release of LGR/link refcnt. One suspect is that<br /> smc_conn_free() is called repeatedly because some smc_conn_free() from<br /> server listening path are not protected by sock lock.<br /> <br /> e.g.<br /> <br /> Calls under socklock | smc_listen_work<br /> -------------------------------------------------------<br /> lock_sock(sk) | smc_conn_abort<br /> smc_conn_free | \- smc_conn_free<br /> \- smcr_link_put | \- smcr_link_put (duplicated)<br /> release_sock(sk)<br /> <br /> So here add sock lock protection in smc_listen_work() path, making it<br /> exclusive with other connection operations.
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2025

CVE-2024-56642
Publication date:
27/12/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: Fix use-after-free of kernel socket in cleanup_bearer().<br /> <br /> syzkaller reported a use-after-free of UDP kernel socket<br /> in cleanup_bearer() without repro. [0][1]<br /> <br /> When bearer_disable() calls tipc_udp_disable(), cleanup<br /> of the UDP kernel socket is deferred by work calling<br /> cleanup_bearer().<br /> <br /> tipc_exit_net() waits for such works to finish by checking<br /> tipc_net(net)-&gt;wq_count. However, the work decrements the<br /> count too early before releasing the kernel socket,<br /> unblocking cleanup_net() and resulting in use-after-free.<br /> <br /> Let&amp;#39;s move the decrement after releasing the socket in<br /> cleanup_bearer().<br /> <br /> [0]:<br /> ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at<br /> sk_alloc+0x438/0x608<br /> inet_create+0x4c8/0xcb0<br /> __sock_create+0x350/0x6b8<br /> sock_create_kern+0x58/0x78<br /> udp_sock_create4+0x68/0x398<br /> udp_sock_create+0x88/0xc8<br /> tipc_udp_enable+0x5e8/0x848<br /> __tipc_nl_bearer_enable+0x84c/0xed8<br /> tipc_nl_bearer_enable+0x38/0x60<br /> genl_family_rcv_msg_doit+0x170/0x248<br /> genl_rcv_msg+0x400/0x5b0<br /> netlink_rcv_skb+0x1dc/0x398<br /> genl_rcv+0x44/0x68<br /> netlink_unicast+0x678/0x8b0<br /> netlink_sendmsg+0x5e4/0x898<br /> ____sys_sendmsg+0x500/0x830<br /> <br /> [1]:<br /> BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]<br /> BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979<br /> udp_hashslot include/net/udp.h:85 [inline]<br /> udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979<br /> sk_common_release+0xaf/0x3f0 net/core/sock.c:3820<br /> inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437<br /> inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489<br /> __sock_release net/socket.c:658 [inline]<br /> sock_release+0xa0/0x210 net/socket.c:686<br /> cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310<br /> worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391<br /> kthread+0x531/0x6b0 kernel/kthread.c:389<br /> ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244<br /> <br /> Uninit was created at:<br /> slab_free_hook mm/slub.c:2269 [inline]<br /> slab_free mm/slub.c:4580 [inline]<br /> kmem_cache_free+0x207/0xc40 mm/slub.c:4682<br /> net_free net/core/net_namespace.c:454 [inline]<br /> cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310<br /> worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391<br /> kthread+0x531/0x6b0 kernel/kthread.c:389<br /> ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244<br /> <br /> CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> Workqueue: events cleanup_bearer
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025
Subscribe to Vulnerabilities