{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-26961","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.201Z","datePublished":"2024-05-01T05:19:16.361Z","dateUpdated":"2025-05-04T09:00:52.446Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:00:52.446Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org)."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/cfg802154.h","net/mac802154/llsec.c"],"versions":[{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"068ab2759bc0b4daf0b964de61b2731449c86531","status":"affected","versionType":"git"},{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"d3d858650933d44ac12c1f31337e7110c2071821","status":"affected","versionType":"git"},{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"dcd51ab42b7a0431575689c5f74b8b6efd45fc2f","status":"affected","versionType":"git"},{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"20d3e1c8a1847497269f04d874b2a5818ec29e2d","status":"affected","versionType":"git"},{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"640297c3e897bd7e1481466a6a5cb9560f1edb88","status":"affected","versionType":"git"},{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"49c8951680d7b76fceaee89dcfbab1363fb24fd1","status":"affected","versionType":"git"},{"version":"5d637d5aabd85132bd85779677d8acb708e0ed90","lessThan":"e8a1e58345cf40b7b272e08ac7b32328b2543e40","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/cfg802154.h","net/mac802154/llsec.c"],"versions":[{"version":"3.16","status":"affected"},{"version":"0","lessThan":"3.16","status":"unaffected","versionType":"semver"},{"version":"5.10.215","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.154","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.84","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.24","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.12","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.3","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.10.215"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.15.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.1.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.6.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.7.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.8.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531"},{"url":"https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821"},{"url":"https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f"},{"url":"https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d"},{"url":"https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88"},{"url":"https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1"},{"url":"https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40"}],"title":"mac802154: fix llsec key resources release in mac802154_llsec_key_del","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26961","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-28T17:51:17.536237Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:48:15.130Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:05.779Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","tags":["x_transferred"]}]}]},"dataVersion":"5.1"}