CVE-2024-26852
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-26852
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26852.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-26852
- Downstream
- Related
- Published
- 2024-04-17T10:17:15.923Z
- Modified
- 2025-11-27T19:33:51.486103Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: avoid possible UAF in ip6routempath_notify()
syzbot found another use-after-free in ip6routempath_notify() [1]
Commit f7225172f25a ("net/ipv6: prevent use after free in ip6routempath_notify") was not able to fix the root cause.
We need to defer the fib6inforelease() calls after ip6routempath_notify(), in the cleanup phase.
[1] BUG: KASAN: slab-use-after-free in rt6fillnode+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037
CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1e7/0x2e0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x167/0x540 mm/kasan/report.c:488 kasanreport+0x142/0x180 mm/kasan/report.c:601 rt6fillnode+0x1460/0x1ac0 inet6rtnotify+0x13b/0x290 net/ipv6/route.c:6184 ip6routempathnotify net/ipv6/route.c:5198 [inline] ip6routemultipathadd net/ipv6/route.c:5404 [inline] inet6rtmnewroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlinkrcvmsg+0x885/0x1040 net/core/rtnetlink.c:6597 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x221/0x270 net/socket.c:745 _syssendmsg+0x525/0x7d0 net/socket.c:2584 _syssendmsg net/socket.c:2638 [inline] _syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK>
Allocated by task 23037: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:372 [inline] kasankmalloc+0x98/0xb0 mm/kasan/common.c:389 kasankmalloc include/linux/kasan.h:211 [inline] _dokmallocnode mm/slub.c:3981 [inline] _kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6infoalloc+0x2e/0xf0 net/ipv6/ip6fib.c:155 ip6routeinfocreate+0x445/0x12b0 net/ipv6/route.c:3758 ip6routemultipathadd net/ipv6/route.c:5298 [inline] inet6rtmnewroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlinkrcvmsg+0x885/0x1040 net/core/rtnetlink.c:6597 netlinkrcvskb+0x1e3/0x430 net/netlink/afnetlink.c:2543 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x7ea/0x980 net/netlink/afnetlink.c:1367 netlinksendmsg+0xa3b/0xd70 net/netlink/afnetlink.c:1908 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x221/0x270 net/socket.c:745 _syssendmsg+0x525/0x7d0 net/socket.c:2584 _syssendmsg net/socket.c:2638 [inline] _syssendmsg+0x2b0/0x3a0 net/socket.c:2667 dosyscall64+0xf9/0x240 entrySYSCALL64afterhwframe+0x6f/0x77
Freed by task 16: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x4e/0x60 mm/kasan/generic.c:640 poisonslab_object+0xa6/0xe0 m ---truncated---
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/ee626f5d79d5817bb21d6f048dc0da4c4e383443/cves/2024/26xxx/CVE-2024-26852.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136
- https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18
- https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda
- https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e
- https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab
- https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe
- https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24
- https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixed31ea5bcc7d4cd1423de6be327a2c034725704136
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixed664f9c647260cc9d68b4e31d9899530d89dd045e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixed79ce2e54cc0ae366f45516c00bf1b19aa43e9abe
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixedcae3303257950d03ffec2df4a45e836f10d26c24
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixed394334fe2ae3b9f1e2332b873857e84cb28aac18
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixeded883060c38721ed828061f6c0c30e5147326c9a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixed61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3b1137fe74829e021f483756a648cbb87c8a1b4aFixed685f7d531264599b3f167f1e94bbd22f120e5fab
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.11.0Fixed4.19.310
- Type
- ECOSYSTEM
- Events
-
Introduced4.20.0Fixed5.4.272
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.213
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.152
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.82
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.22
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.7.10