{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-49940","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.043Z","datePublished":"2024-10-21T18:01:59.668Z","dateUpdated":"2026-01-05T10:54:33.785Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-01-05T10:54:33.785Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: prevent possible tunnel refcount underflow\n\nWhen a session is created, it sets a backpointer to its tunnel. When\nthe session refcount drops to 0, l2tp_session_free drops the tunnel\nrefcount if session->tunnel is non-NULL. However, session->tunnel is\nset in l2tp_session_create, before the tunnel refcount is incremented\nby l2tp_session_register, which leaves a small window where\nsession->tunnel is non-NULL when the tunnel refcount hasn't been\nbumped.\n\nMoving the assignment to l2tp_session_register is trivial but\nl2tp_session_create calls l2tp_session_set_header_len which uses\nsession->tunnel to get the tunnel's encap. Add an encap arg to\nl2tp_session_set_header_len to avoid using session->tunnel.\n\nIf l2tpv3 sessions have colliding IDs, it is possible for\nl2tp_v3_session_get to race with l2tp_session_register and fetch a\nsession which doesn't yet have session->tunnel set. Add a check for\nthis case."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/l2tp/l2tp_core.c","net/l2tp/l2tp_core.h","net/l2tp/l2tp_netlink.c","net/l2tp/l2tp_ppp.c"],"versions":[{"version":"3953ae7b218df4d1e544b98a393666f9ae58a78c","lessThan":"f7415e60c25a6108cd7955a20b2e66b6251ffe02","status":"affected","versionType":"git"},{"version":"3953ae7b218df4d1e544b98a393666f9ae58a78c","lessThan":"24256415d18695b46da06c93135f5b51c548b950","status":"affected","versionType":"git"},{"version":"b102bfc2a90d14f342580285782a9a51c74f7369","status":"affected","versionType":"git"},{"version":"10c15ddabbcf888922adbdd44ca3fecf6eab19d9","status":"affected","versionType":"git"},{"version":"8d1c650d452c53fcb3f02a7b1d772741639f89a4","status":"affected","versionType":"git"},{"version":"12b5fb58ac993c24210cf8cbc72d407d3a4e6490","status":"affected","versionType":"git"},{"version":"aef37401b467a0b1a9517c69924a1d66937e0789","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/l2tp/l2tp_core.c","net/l2tp/l2tp_core.h","net/l2tp/l2tp_netlink.c","net/l2tp/l2tp_ppp.c"],"versions":[{"version":"4.15","status":"affected"},{"version":"0","lessThan":"4.15","status":"unaffected","versionType":"semver"},{"version":"6.11.3","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.11.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.225"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.225"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.182"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02"},{"url":"https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950"}],"title":"l2tp: prevent possible tunnel refcount underflow","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-49940","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:37:52.827630Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:38:50.656Z"}}]}}