AZL-55974

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-55974.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-55974

Upstream

CVE-2024-26866

Published

2024-04-17T11:15:09Z

Modified

2026-04-01T05:18:47.186801Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2024-26866 affecting package kernel 5.15.200.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

spi: lpspi: Avoid potential use-after-free in probe()

fsllpspiprobe() is allocating/disposing memory manually with spiallochost()/spialloctarget(), but uses devmspiregistercontroller(). In case of error after the latter call the memory will be explicitly freed in the probe function by spicontrollerput() call, but used afterwards by "devm" management outside probe() (spiunregistercontroller() <- devmspi_unregister() below).

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 ... Call trace: kernfsfindns kernfsfindandgetns sysfsremovegroup sysfsremovegroups deviceremoveattrs devicedel spiunregistercontroller devmspiunregister releasenodes devresreleaseall reallyprobe driverprobe_device __deviceattachdriver busforeach_drv _deviceattach deviceinitialprobe busprobedevice deferredprobeworkfunc processonework workerthread kthread retfromfork

References

https://nvd.nist.gov/vuln/detail/CVE-2024-26866

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.15.200.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-55974.json"