CVE-2024-26631
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-26631
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26631.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-26631
- Downstream
- Related
- Published
- 2024-03-18T10:07:48Z
- Modified
- 2025-10-16T21:05:46.031332Z
- Summary
- ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: fix data-race in ipv6mcdown / mldifcwork
idev->mcifccount can be written over without proper locking.
Originally found by syzbot [1], fix this issue by encapsulating calls to mldifcstopwork() (and mldgqstopwork() for good measure) with mutexlock() and mutexunlock() accordingly as these functions should only be called with mc_lock per their declarations.
[1] BUG: KCSAN: data-race in ipv6mcdown / mldifcwork
write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: mldifcstopwork net/ipv6/mcast.c:1080 [inline] ipv6mcdown+0x10a/0x280 net/ipv6/mcast.c:2725 addrconfifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 addrconfnotify+0x310/0x980 notifiercallchain kernel/notifier.c:93 [inline] rawnotifiercallchain+0x6b/0x1c0 kernel/notifier.c:461 _devnotifyflags+0x205/0x3d0 devchangeflags+0xab/0xd0 net/core/dev.c:8685 dosetlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 rtnlgroupchangelink net/core/rtnetlink.c:3458 [inline] _rtnlnewlink net/core/rtnetlink.c:3717 [inline] rtnlnewlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 rtnetlinkrcvmsg+0x807/0x8c0 net/core/rtnetlink.c:6558 netlinkrcvskb+0x126/0x220 net/netlink/afnetlink.c:2545 rtnetlinkrcv+0x1c/0x20 net/core/rtnetlink.c:6576 netlinkunicastkernel net/netlink/afnetlink.c:1342 [inline] netlinkunicast+0x589/0x650 net/netlink/afnetlink.c:1368 netlinksendmsg+0x66e/0x770 net/netlink/afnetlink.c:1910 ...
write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: mldifcwork+0x54c/0x7b0 net/ipv6/mcast.c:2653 processonework kernel/workqueue.c:2627 [inline] processscheduledworks+0x5b8/0xa30 kernel/workqueue.c:2700 worker_thread+0x525/0x730 kernel/workqueue.c:2781 ...
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2e7ef287f07c74985f1bf2858bedc62bd9ebf155
- https://git.kernel.org/stable/c/380540bb06bb1d1b12bdc947d1b8f56cda6b5663
- https://git.kernel.org/stable/c/3bb5849675ae1d592929798a2b37ea450879c855
- https://git.kernel.org/stable/c/3cc283fd16fba72e2cefe3a6f48d7a36b0438900
- https://git.kernel.org/stable/c/62b3387beef11738eb6ce667601a28fa089fa02c
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2d9a93b4902be6a5504b5941dd15e9cd776aadcaFixed62b3387beef11738eb6ce667601a28fa089fa02c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2d9a93b4902be6a5504b5941dd15e9cd776aadcaFixed380540bb06bb1d1b12bdc947d1b8f56cda6b5663
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2d9a93b4902be6a5504b5941dd15e9cd776aadcaFixed3cc283fd16fba72e2cefe3a6f48d7a36b0438900
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2d9a93b4902be6a5504b5941dd15e9cd776aadcaFixed3bb5849675ae1d592929798a2b37ea450879c855
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2d9a93b4902be6a5504b5941dd15e9cd776aadcaFixed2e7ef287f07c74985f1bf2858bedc62bd9ebf155