-
CVE-2024-26951
- EPSS 0.03%
- Veröffentlicht 01.05.2024 06:15:11
- Zuletzt bearbeitet 21.11.2024 09:03:28
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- Teams Watchlist Login
- Unerledigt Login
In the Linux kernel, the following vulnerability has been resolved:
wireguard: netlink: check for dangling peer via is_dead instead of empty list
If all peers are removed via wg_peer_remove_all(), rather than setting
peer_list to empty, the peer is added to a temporary list with a head on
the stack of wg_peer_remove_all(). If a netlink dump is resumed and the
cursored peer is one that has been removed via wg_peer_remove_all(), it
will iterate from that peer and then attempt to dump freed peers.
Fix this by instead checking peer->is_dead, which was explictly created
for this purpose. Also move up the device_update_lock lockdep assertion,
since reading is_dead relies on that.
It can be reproduced by a small script like:
echo "Setting config..."
ip link add dev wg0 type wireguard
wg setconf wg0 /big-config
(
while true; do
echo "Showing config..."
wg showconf wg0 > /dev/null
done
) &
sleep 4
wg setconf wg0 <(printf "[Peer]\nPublicKey=$(wg genkey)\n")
Resulting in:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20
Read of size 8 at addr ffff88811956ec70 by task wg/59
CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5
Call Trace:
<TASK>
dump_stack_lvl+0x47/0x70
print_address_description.constprop.0+0x2c/0x380
print_report+0xab/0x250
kasan_report+0xba/0xf0
__lock_acquire+0x182a/0x1b20
lock_acquire+0x191/0x4b0
down_read+0x80/0x440
get_peer+0x140/0xcb0
wg_get_device_dump+0x471/0x1130Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
f52be46e3e6ecefc2539119784324f0cbc09620a
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
Version <
710a177f347282eea162aec8712beb1f42d5ad87
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
Version <
b7cea3a9af0853fdbb1b16633a458f991dde6aac
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
Version <
13d107794304306164481d31ce33f8fdb25a9c04
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
Version <
7bedfe4cfa38771840a355970e4437cd52d4046b
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
Version <
302b2dfc013baca3dea7ceda383930d9297d231d
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
Version <
55b6c738673871c9b0edae05d0c97995c1ff08c4
Version
e7096c131e5161fa3b8e52a650d7719d2857adfd
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
5.6
Status
affected
Version <
5.6
Version
0
Status
unaffected
Version <=
5.10.*
Version
5.10.215
Status
unaffected
Version <=
5.15.*
Version
5.15.154
Status
unaffected
Version <=
6.1.*
Version
6.1.84
Status
unaffected
Version <=
6.6.*
Version
6.6.24
Status
unaffected
Version <=
6.7.*
Version
6.7.12
Status
unaffected
Version <=
6.8.*
Version
6.8.3
Status
unaffected
Version <=
*
Version
6.9
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.058 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|