5.5

CVE-2024-26840

EPSS 0.02%
Published 17.04.2024 10:15:09
Last modified 07.01.2025 17:13:19
Source 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Open
Login

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix memory leak in cachefiles_add_cache()

The following memory leak was reported after unbinding /dev/cachefiles:

==================================================================
unreferenced object 0xffff9b674176e3c0 (size 192):
  comm "cachefilesd2", pid 680, jiffies 4294881224
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc ea38a44b):
    [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370
    [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0
    [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120
    [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0
    [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0
    [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520
    [<ffffffff8ebc5069>] ksys_write+0x69/0xf0
    [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140
    [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
==================================================================

Put the reference count of cache_cred in cachefiles_daemon_unbind() to
fix the problem. And also put cache_cred in cachefiles_add_cache() error
branch to avoid memory leaks.

Affected products Warnungen 0 Metrics 2 CWE 1 References 13

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.30 < 4.19.309

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.271

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.212

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.151

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.80

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.19

Linux ≫ Linux Kernel Version >= 6.7 < 6.7.7

Linux ≫ Linux Kernel Version6.8 Updaterc1

Linux ≫ Linux Kernel Version6.8 Updaterc2

Linux ≫ Linux Kernel Version6.8 Updaterc3

Linux ≫ Linux Kernel Version6.8 Updaterc4

Linux ≫ Linux Kernel Version6.8 Updaterc5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.025

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Mailing List

https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Mailing List

https://git.kernel.org/stable/c/037d5a949b0455540ef9aab34c10ddf54b65d285

Patch

https://git.kernel.org/stable/c/38e921616320d159336b0ffadb09e9fb4945c7c3

Patch

https://git.kernel.org/stable/c/43eccc5823732ba6daab2511ed32dfc545a666d8

Patch

https://git.kernel.org/stable/c/8b218e2f0a27a9f09428b1847b4580640b9d1e58

Patch

https://git.kernel.org/stable/c/94965be37add0983672e48ecb33cdbda92b62579

Patch

https://git.kernel.org/stable/c/9cac69912052a4def571fedf1cb9bb4ec590e25a

Patch

https://git.kernel.org/stable/c/cb5466783793e66272624cf71925ae1d1ba32083

Patch

https://git.kernel.org/stable/c/e21a2f17566cbd64926fb8f16323972f7a064444

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-26840

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26840

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26840

EUVD