{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26957","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.200Z","datePublished":"2024-05-01T05:19:00.134Z","dateUpdated":"2026-05-11T20:07:39.393Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:07:39.393Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8\n    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/s390/crypto/zcrypt_api.c"],"versions":[{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"7e500849fa558879a1cde43f80c7c048c2437058","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"9daddee03de3f231012014dab8ab2b277a116a55","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"6470078ab3d8f222115e11c4ec67351f3031b3dd","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"a55677878b93e9ebc31f66d0e2fb93be5e7836a6","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"b7f6c3630eb3f103115ab0d7613588064f665d0d","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"a64ab862e84e3e698cd351a87cdb504c7fc575ca","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"befb7f889594d23e1b475720cf93efd2f77df000","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484","status":"affected","versionType":"git"},{"version":"e28d2af43614eb86f59812e7221735fc221bbc10","lessThan":"50ed48c80fecbe17218afed4f8bed005c802976c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/s390/crypto/zcrypt_api.c"],"versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","status":"unaffected","versionType":"semver"},{"version":"4.19.312","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.274","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.215","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.154","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.84","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.24","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.12","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.3","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"4.19.312"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.4.274"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.10.215"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.15.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.1.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.6.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.7.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.8.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058"},{"url":"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55"},{"url":"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd"},{"url":"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6"},{"url":"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d"},{"url":"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca"},{"url":"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000"},{"url":"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484"},{"url":"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c"}],"title":"s390/zcrypt: fix reference counting on zcrypt card objects","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-416","lang":"en","description":"CWE-416 Use After Free"}]}],"affected":[{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"1da177e4c3f4","status":"affected","lessThan":"7e500849fa55","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"9daddee03de3","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"6470078ab3d8","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"a55677878b93","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"b7f6c3630eb3","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"a64ab862e84e","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"befb7f889594","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"394b6d8bbdf9","versionType":"custom"},{"version":"1da177e4c3f4","status":"affected","lessThan":"50ed48c80fec","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T15:58:32.988246Z","id":"CVE-2024-26957","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-17T15:58:36.584Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:05.861Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]}]}]},"dataVersion":"5.2"}