CVE-2024-26598

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4	Patch
https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1	Patch
https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f	Patch
https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703	Patch
https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88	Patch
https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6	Patch
https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2024-02-23 15:15

Updated : 2024-06-25 21:15

NVD link : CVE-2024-26598

Mitre link : CVE-2024-26598

CVE.ORG link : CVE-2024-26598

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2024-26598", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-02-23T15:15:09.610", "references": [{"url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: vgic-its: Evite posibles UAF en la cach\u00e9 de traducci\u00f3n LPI. Existe un escenario potencial de UAF en el caso de que un cach\u00e9 de traducci\u00f3n LPI se acelere con una operaci\u00f3n que invalide la cach\u00e9, como un comando DISCARD ITS. La ra\u00edz del problema es que vgic_its_check_cache() no eleva el refcount en vgic_irq antes de eliminar el bloqueo que serializa los cambios de refcount. Haga que vgic_its_check_cache() aumente el refcount en el vgic_irq devuelto y agregue el decremento correspondiente despu\u00e9s de poner en cola la interrupci\u00f3n."}], "lastModified": "2024-06-25T21:15:57.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48E561A5-2F59-4E74-BFAB-39B8D844FD15", "versionEndExcluding": "5.4.269"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D2E4F24-2FBB-4434-8598-2B1499E566B5", "versionEndExcluding": "5.10.209", "versionStartIncluding": "5.5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E25E1389-4B0F-407A-9C94-5908FF3EE88B", "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.11.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C4951FA-80C0-4B4C-9836-6E5035DEB0F9", "versionEndExcluding": "6.1.75", "versionStartIncluding": "5.16.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDBBEB0E-D13A-4567-8984-51C5375350B9", "versionEndExcluding": "6.6.14", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EA3778C-730B-464C-8023-18CA6AC0B807", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}