CVE-2024-26866
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
17/04/2024
Last modified:
27/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
spi: lpspi: Avoid potential use-after-free in probe()<br />
<br />
fsl_lpspi_probe() is allocating/disposing memory manually with<br />
spi_alloc_host()/spi_alloc_target(), but uses<br />
devm_spi_register_controller(). In case of error after the latter call the<br />
memory will be explicitly freed in the probe function by<br />
spi_controller_put() call, but used afterwards by "devm" management outside<br />
probe() (spi_unregister_controller()
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 6.6.23 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.8 (including) | 6.8.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f
- https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861
- https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68
- https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea
- https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f
- https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861
- https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68
- https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea