{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26692", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.155Z", "datePublished": "2024-04-03T14:54:53.343Z", "dateUpdated": "2025-05-04T08:54:11.399Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:54:11.399Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Fix regression in writes when non-standard maximum write size negotiated\n\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\n\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\n\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/connect.c", "fs/smb/client/fs_context.c"], "versions": [{"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "lessThan": "4145ccff546ea868428b3e0fe6818c6261b574a9", "status": "affected", "versionType": "git"}, {"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "lessThan": "63c35afd50e28b49c5b75542045a8c42b696dab9", "status": "affected", "versionType": "git"}, {"version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "lessThan": "4860abb91f3d7fbaf8147d54782149bb1fc45892", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/connect.c", "fs/smb/client/fs_context.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.18", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.6", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.6.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.7.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9"}, {"url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9"}, {"url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892"}], "title": "smb: Fix regression in writes when non-standard maximum write size negotiated", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.775Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26692", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:00.719188Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:31.032Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.775Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26692", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:00.719188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:17.099Z"}}], "cna": {"title": "smb: Fix regression in writes when non-standard maximum write size negotiated", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "lessThan": "4145ccff546ea868428b3e0fe6818c6261b574a9", "versionType": "git"}, {"status": "affected", "version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "lessThan": "63c35afd50e28b49c5b75542045a8c42b696dab9", "versionType": "git"}, {"status": "affected", "version": "d08089f649a0cfb2099c8551ac47eef0cc23fdf2", "lessThan": "4860abb91f3d7fbaf8147d54782149bb1fc45892", "versionType": "git"}], "programFiles": ["fs/smb/client/connect.c", "fs/smb/client/fs_context.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.3"}, {"status": "unaffected", "version": "0", "lessThan": "6.3", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.18", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.6", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/client/connect.c", "fs/smb/client/fs_context.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9"}, {"url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9"}, {"url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Fix regression in writes when non-standard maximum write size negotiated\n\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\n\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\n\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero)."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.18", "versionStartIncluding": "6.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.6", "versionStartIncluding": "6.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "6.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:54:11.399Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26692", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:54:11.399Z", "dateReserved": "2024-02-19T14:20:24.155Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-03T14:54:53.343Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDF44457-CF5B-4B25-AD4C-B88268FE2054", "versionEndExcluding": "6.6.18", "versionStartIncluding": "6.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6D6A5C8-7308-42A9-8A72-ABF3DEA4BB82", "versionEndExcluding": "6.7.6", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*", "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*", "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*", "matchCriteriaId": "62075ACE-B2A0-4B16-829D-B3DA5AE5CC41", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Fix regression in writes when non-standard maximum write size negotiated\n\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\n\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\n\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero)."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: smb: se corrigi\u00f3 la regresi\u00f3n en las escrituras cuando se negoci\u00f3 un tama\u00f1o de escritura m\u00e1ximo no est\u00e1ndar. La conversi\u00f3n a netfs en el kernel 6.3 provoc\u00f3 una regresi\u00f3n cuando el servidor estableci\u00f3 el tama\u00f1o de escritura m\u00e1ximo en un valor inesperado. que no es un m\u00faltiplo de 4096 (de manera similar, si el usuario anula el tama\u00f1o m\u00e1ximo de escritura configurando el par\u00e1metro de montaje \"wsize\", pero lo establece en un valor que no es un m\u00faltiplo de 4096). Cuando el tama\u00f1o de escritura negociado no es un m\u00faltiplo de 4096, el c\u00f3digo netfs puede omitir el final de la p\u00e1gina final al realizar escrituras secuenciales grandes, lo que provoca corrupci\u00f3n de datos. Esta secci\u00f3n de c\u00f3digo se est\u00e1 reescribiendo/eliminando debido a un gran cambio en netfs, pero hasta ese momento (es decir, para el kernel 6.3 hasta ahora) no podemos admitir tama\u00f1os m\u00e1ximos de escritura no est\u00e1ndar. Agregue una advertencia si un usuario especifica un wsize en el montaje que no es un m\u00faltiplo de 4096 (y redondea hacia abajo), tambi\u00e9n agregue un cambio donde redondeamos hacia abajo el tama\u00f1o m\u00e1ximo de escritura si el servidor negocia un valor que no es un m\u00faltiplo de 4096 ( tambi\u00e9n tenemos que comprobar que no lo redondeamos a cero)."}], "id": "CVE-2024-26692", "lastModified": "2025-03-17T15:38:32.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-03T15:15:52.610", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4145ccff546ea868428b3e0fe6818c6261b574a9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4860abb91f3d7fbaf8147d54782149bb1fc45892"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/63c35afd50e28b49c5b75542045a8c42b696dab9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: smb: Fix regression in writes when non-standard maximum write size negotiated", "id": "2273096", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273096"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-787", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsmb: Fix regression in writes when non-standard maximum write size negotiated\nThe conversion to netfs in the 6.3 kernel caused a regression when\nmaximum write size is set by the server to an unexpected value which is\nnot a multiple of 4096 (similarly if the user overrides the maximum\nwrite size by setting mount parm \"wsize\", but sets it to a value that\nis not a multiple of 4096). When negotiated write size is not a\nmultiple of 4096 the netfs code can skip the end of the final\npage when doing large sequential writes, causing data corruption.\nThis section of code is being rewritten/removed due to a large\nnetfs change, but until that point (ie for the 6.3 kernel until now)\nwe can not support non-standard maximum write sizes.\nAdd a warning if a user specifies a wsize on mount that is not\na multiple of 4096 (and round down), also add a change where we\nround down the maximum write size if the server negotiates a value\nthat is not a multiple of 4096 (we also have to check to make sure that\nwe do not round it down to zero)."], "name": "CVE-2024-26692", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26692\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26692\nhttps://lore.kernel.org/linux-cve-announce/2024040337-CVE-2024-26692-162f@gregkh/T"], "threat_severity": "Low"}

{}