OpenCVE

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2024:3627	2024-06-05T00:00:00Z
kernel-0:4.18.0-553.5.1.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:3618	2024-06-05T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596
https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad
https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2
https://lore.kernel.org/linux-cve-announce/2024040337-CVE-2024-26694-b216@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26694
https://www.cve.org/CVERecord?id=CVE-2024-26694

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-03T14:54:55.138Z

Updated: 2024-11-05T09:14:01.997Z

Reserved: 2024-02-19T14:20:24.156Z

Link: CVE-2024-26694

Vulnrichment

Updated: 2024-08-02T00:14:12.834Z

NVD

Status : Awaiting Analysis

Published: 2024-04-03T15:15:52.717

Modified: 2024-11-21T09:02:51.727

Link: CVE-2024-26694

Redhat

Severity : Moderate

Publid Date: 2024-04-03T00:00:00Z

Links: CVE-2024-26694 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26694", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.156Z", "datePublished": "2024-04-03T14:54:55.138Z", "dateUpdated": "2024-11-05T09:14:01.997Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:14:01.997Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "versions": [{"version": "5e31b3df86ec", "lessThan": "ab9d4bb9a189", "status": "affected", "versionType": "git"}, {"version": "5e31b3df86ec", "lessThan": "d24eb9a27bea", "status": "affected", "versionType": "git"}, {"version": "5e31b3df86ec", "lessThan": "353d321f63f7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.18", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.6", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}], "title": "wifi: iwlwifi: fix double-free bug", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-17T19:29:52.861166Z", "id": "CVE-2024-26694", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T19:30:17.789Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.834Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.834Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26694", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-17T19:29:52.861166Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T19:29:57.977Z"}}], "cna": {"title": "wifi: iwlwifi: fix double-free bug", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5e31b3df86ec", "lessThan": "ab9d4bb9a189", "versionType": "git"}, {"status": "affected", "version": "5e31b3df86ec", "lessThan": "d24eb9a27bea", "versionType": "git"}, {"status": "affected", "version": "5e31b3df86ec", "lessThan": "353d321f63f7", "versionType": "git"}], "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.4"}, {"status": "unaffected", "version": "0", "lessThan": "6.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.18", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.6", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:14:01.997Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26694", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:14:01.997Z", "dateReserved": "2024-02-19T14:20:24.156Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-03T14:54:55.138Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: iwlwifi: corrige el error de doble liberaci\u00f3n El almacenamiento de los datos de registro de PC TLV no se realiz\u00f3 como el resto del almacenamiento en el \u00e1rea drv->fw, que se borra en el fin de la desasignaci\u00f3n. Por lo tanto, la liberaci\u00f3n tambi\u00e9n debe realizarse de manera diferente, anul\u00e1ndolo expl\u00edcitamente despu\u00e9s de la liberaci\u00f3n, ya que de lo contrario hay un desagradable error de doble liberaci\u00f3n aqu\u00ed si un archivo no se carga despu\u00e9s de haber sido analizado y obtenemos otra liberaci\u00f3n m\u00e1s tarde (por ejemplo porque no existe ning\u00fan otro archivo). Solucione el problema agregando la asignaci\u00f3n NULL que falta."}], "id": "CVE-2024-26694", "lastModified": "2024-11-21T09:02:51.727", "metrics": {}, "published": "2024-04-03T15:15:52.717", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:3627", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3618", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.5.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-05T00:00:00Z"}], "bugzilla": {"description": "kernel: wifi: iwlwifi: fix double-free bug", "id": "2273092", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273092"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-415", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: iwlwifi: fix double-free bug\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment.", "A vulnerability was found in the Linux kernel's iwlwifi driver, where the TLV PC register data being freed is not properly marked as NULL afterwards, resulting in a double-free issue. This could lead to memory corruption or crashes."], "name": "CVE-2024-26694", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26694\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26694\nhttps://lore.kernel.org/linux-cve-announce/2024040337-CVE-2024-26694-b216@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.6.18, kernel 6.7.6, kernel 6.8"}