{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26800","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.179Z","datePublished":"2024-04-04T08:20:28.554Z","dateUpdated":"2025-05-04T12:54:45.649Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:54:45.649Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_sw.c"],"versions":[{"version":"cd1bbca03f3c1d845ce274c0d0a66de8e5929f72","lessThan":"f2b85a4cc763841843de693bbd7308fe9a2c4c89","status":"affected","versionType":"git"},{"version":"13eca403876bbea3716e82cdfe6f1e6febb38754","lessThan":"81be85353b0f5a7b660635634b655329b429eefe","status":"affected","versionType":"git"},{"version":"ab6397f072e5097f267abf5cb08a8004e6b17694","lessThan":"1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1","status":"affected","versionType":"git"},{"version":"8590541473188741055d27b955db0777569438e3","lessThan":"13114dc5543069f7b97991e3b79937b6da05f5b0","status":"affected","versionType":"git"},{"version":"3ade391adc584f17b5570fd205de3ad029090368","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_sw.c"],"versions":[{"version":"6.6.18","lessThan":"6.6.21","status":"affected","versionType":"semver"},{"version":"6.7.6","lessThan":"6.7.9","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.18","versionEndExcluding":"6.6.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.6","versionEndExcluding":"6.7.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.160"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89"},{"url":"https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe"},{"url":"https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1"},{"url":"https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0"}],"title":"tls: fix use-after-free on failed backlog decryption","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-07-31T20:01:08.576744Z","id":"CVE-2024-26800","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-31T20:01:16.218Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:13.534Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0","tags":["x_transferred"]}]}]}}