{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26932","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.195Z","datePublished":"2024-05-01T05:17:19.129Z","dateUpdated":"2025-05-04T09:00:01.282Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:00:01.282Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\n\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\nthe first time is kfreed by pd_capabilities_release() and the second time\nis explicitly kfreed by tcpm_port_unregister_pd().\n\n[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\n[    3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\n[    4.001206]\n[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\n[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\n[    4.017569] Workqueue: events_unbound deferred_probe_work_func\n[    4.023456] Call trace:\n[    4.025920]  dump_backtrace+0x94/0xec\n[    4.029629]  show_stack+0x18/0x24\n[    4.032974]  dump_stack_lvl+0x78/0x90\n[    4.036675]  print_report+0xfc/0x5c0\n[    4.040289]  kasan_report_invalid_free+0xa0/0xc0\n[    4.044937]  __kasan_slab_free+0x124/0x154\n[    4.049072]  kfree+0xb4/0x1e8\n[    4.052069]  tcpm_port_unregister_pd+0x1a4/0x3dc\n[    4.056725]  tcpm_register_port+0x1dd0/0x2558\n[    4.061121]  tcpci_register_port+0x420/0x71c\n[    4.065430]  tcpci_probe+0x118/0x2e0\n\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/typec/tcpm/tcpm.c"],"versions":[{"version":"cd099cde4ed264403b434d8344994f97ac2a4349","lessThan":"242e425ed580b2f4dbcb86c8fc03a410a4084a69","status":"affected","versionType":"git"},{"version":"cd099cde4ed264403b434d8344994f97ac2a4349","lessThan":"b63f90487bdf93a4223ce7853d14717e9d452856","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/typec/tcpm/tcpm.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.8.3","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69"},{"url":"https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856"}],"title":"usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-415","lang":"en","description":"CWE-415 Double Free"}]}],"affected":[{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"cd099cde4ed2","status":"affected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.8","status":"affected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"unaffected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.8.3","status":"unaffected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.9","status":"unaffected"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-02-05T21:12:31.346092Z","id":"CVE-2024-26932","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-05T21:13:37.478Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:05.593Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856","tags":["x_transferred"]}]}]}}