{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26870","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.184Z","datePublished":"2024-04-17T10:27:30.756Z","dateUpdated":"2026-05-12T11:49:46.342Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:05:43.583Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\n\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\n\n  [   99.403778] kernel BUG at mm/usercopy.c:102!\n  [   99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  [   99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n  [   99.415827] Call trace:\n  [   99.415985]  usercopy_abort+0x70/0xa0\n  [   99.416227]  __check_heap_object+0x134/0x158\n  [   99.416505]  check_heap_object+0x150/0x188\n  [   99.416696]  __check_object_size.part.0+0x78/0x168\n  [   99.416886]  __check_object_size+0x28/0x40\n  [   99.417078]  listxattr+0x8c/0x120\n  [   99.417252]  path_listxattr+0x78/0xe0\n  [   99.417476]  __arm64_sys_listxattr+0x28/0x40\n  [   99.417723]  invoke_syscall+0x78/0x100\n  [   99.417929]  el0_svc_common.constprop.0+0x48/0xf0\n  [   99.418186]  do_el0_svc+0x24/0x38\n  [   99.418376]  el0_svc+0x3c/0x110\n  [   99.418554]  el0t_64_sync_handler+0x120/0x130\n  [   99.418788]  el0t_64_sync+0x194/0x198\n  [   99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\n\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\n\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfs/nfs4proc.c"],"versions":[{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"4403438eaca6e91f02d272211c4d6b045092396b","status":"affected","versionType":"git"},{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"9d52865ff28245fc2134da9f99baff603a24407a","status":"affected","versionType":"git"},{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"06e828b3f1b206de08ef520fc46a40b22e1869cb","status":"affected","versionType":"git"},{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"79cdcc765969d23f4e3d6ea115660c3333498768","status":"affected","versionType":"git"},{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"80365c9f96015bbf048fdd6c8705d3f8770132bf","status":"affected","versionType":"git"},{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"23bfecb4d852751d5e403557dd500bb563313baf","status":"affected","versionType":"git"},{"version":"012a211abd5db098094ce429de5f046368391e68","lessThan":"251a658bbfceafb4d58c76b77682c8bf7bcfad65","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfs/nfs4proc.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.10.214","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.153","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.83","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.23","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.11","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.2","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.10.214"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.153"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.1.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.7.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.8.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b"},{"url":"https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a"},{"url":"https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb"},{"url":"https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768"},{"url":"https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf"},{"url":"https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf"},{"url":"https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65"}],"title":"NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26870","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-28T19:56:13.503124Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:49:37.605Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:04.235Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]}]},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T11:49:46.342Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","versions":[{"status":"affected","version":"0","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}]}]},"dataVersion":"5.2"}