{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26951","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.198Z","datePublished":"2024-05-01T05:18:34.520Z","dateUpdated":"2026-05-12T11:50:47.613Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:07:32.304Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n    echo \"Setting config...\"\n    ip link add dev wg0 type wireguard\n    wg setconf wg0 /big-config\n    (\n            while true; do\n                    echo \"Showing config...\"\n                    wg showconf wg0 > /dev/null\n            done\n    ) &\n    sleep 4\n    wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n    BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n    Read of size 8 at addr ffff88811956ec70 by task wg/59\n    CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n    Call Trace:\n     <TASK>\n     dump_stack_lvl+0x47/0x70\n     print_address_description.constprop.0+0x2c/0x380\n     print_report+0xab/0x250\n     kasan_report+0xba/0xf0\n     __lock_acquire+0x182a/0x1b20\n     lock_acquire+0x191/0x4b0\n     down_read+0x80/0x440\n     get_peer+0x140/0xcb0\n     wg_get_device_dump+0x471/0x1130"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireguard/netlink.c"],"versions":[{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"f52be46e3e6ecefc2539119784324f0cbc09620a","status":"affected","versionType":"git"},{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"710a177f347282eea162aec8712beb1f42d5ad87","status":"affected","versionType":"git"},{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"b7cea3a9af0853fdbb1b16633a458f991dde6aac","status":"affected","versionType":"git"},{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"13d107794304306164481d31ce33f8fdb25a9c04","status":"affected","versionType":"git"},{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"7bedfe4cfa38771840a355970e4437cd52d4046b","status":"affected","versionType":"git"},{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"302b2dfc013baca3dea7ceda383930d9297d231d","status":"affected","versionType":"git"},{"version":"e7096c131e5161fa3b8e52a650d7719d2857adfd","lessThan":"55b6c738673871c9b0edae05d0c97995c1ff08c4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireguard/netlink.c"],"versions":[{"version":"5.6","status":"affected"},{"version":"0","lessThan":"5.6","status":"unaffected","versionType":"semver"},{"version":"5.10.215","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.154","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.84","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.24","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.12","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.3","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.10.215"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"5.15.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.1.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.6.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.7.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.8.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a"},{"url":"https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87"},{"url":"https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac"},{"url":"https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04"},{"url":"https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b"},{"url":"https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d"},{"url":"https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4"}],"title":"wireguard: netlink: check for dangling peer via is_dead instead of empty list","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:05.788Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26951","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T15:45:36.397018Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:32:58.386Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T11:50:47.613Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","versions":[{"status":"affected","version":"0","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}]}]},"dataVersion":"5.2"}