{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26960","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.201Z","datePublished":"2024-05-01T05:19:12.112Z","dateUpdated":"2026-05-12T11:50:50.097Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:07:42.928Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/swapfile.c"],"versions":[{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","status":"affected","versionType":"git"},{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"2da5568ee222ce0541bfe446a07998f92ed1643e","status":"affected","versionType":"git"},{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","status":"affected","versionType":"git"},{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","status":"affected","versionType":"git"},{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","status":"affected","versionType":"git"},{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"363d17e7f7907c8e27a9e86968af0eaa2301787b","status":"affected","versionType":"git"},{"version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","lessThan":"82b1c07a0af603e3c47b906c8e991dc96f01688e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["mm/swapfile.c"],"versions":[{"version":"4.11","status":"affected"},{"version":"0","lessThan":"4.11","status":"unaffected","versionType":"semver"},{"version":"5.10.215","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.154","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.84","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.24","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.12","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.3","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.10.215"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.15.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.1.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.6.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.7.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.8.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d"},{"url":"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e"},{"url":"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a"},{"url":"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a"},{"url":"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39"},{"url":"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b"},{"url":"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e"}],"title":"mm: swap: fix race between free_swap_and_cache() and swapoff()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-362","lang":"en","description":"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}],"affected":[{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"d85c11c97ecf","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"2da5568ee222","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"1ede7f1d7eed","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"0f98f6d2fb5f","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"3ce4c4c653e4","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"363d17e7f790","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"7c00bafee87c","status":"affected","lessThan":"82b1c07a0af6","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"5.10.215","status":"unaffected","lessThan":"5.11","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.1.84","status":"unaffected","lessThan":"6.2","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.6.24","status":"unaffected","lessThan":"6.7","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.8.3","status":"unaffected","lessThan":"6.9","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.9","status":"unaffected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"unaffected","lessThan":"4.11","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:4.11:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"4.11","status":"affected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"5.15.154","status":"unaffected","lessThan":"5.16","versionType":"custom"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"6.7.12","status":"unaffected","lessThan":"6.8","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-02-05T21:09:23.358079Z","id":"CVE-2024-26960","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-05T21:09:44.704Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:06.048Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]}]},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T11:50:50.097Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","versions":[{"status":"affected","version":"0","lessThan":"*","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}]}]},"dataVersion":"5.2"}