CVE-2024-26800 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0
https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1
https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe
https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89
https://lore.kernel.org/linux-cve-announce/2024040403-CVE-2024-26800-0bf4@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26800
https://www.cve.org/CVERecord?id=CVE-2024-26800

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-04T08:20:28.554Z

Updated: 2024-11-05T09:16:03.786Z

Reserved: 2024-02-19T14:20:24.179Z

Link: CVE-2024-26800

Vulnrichment

Updated: 2024-08-02T00:14:13.534Z

NVD

Status : Awaiting Analysis

Published: 2024-04-04T09:15:09.003

Modified: 2024-04-04T14:15:09.897

Link: CVE-2024-26800

Redhat

Severity : Low

Publid Date: 2024-04-04T00:00:00Z

Links: CVE-2024-26800 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26800", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.179Z", "datePublished": "2024-04-04T08:20:28.554Z", "dateUpdated": "2024-11-05T09:16:03.786Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:16:03.786Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "cd1bbca03f3c", "lessThan": "f2b85a4cc763", "status": "affected", "versionType": "git"}, {"version": "13eca403876b", "lessThan": "81be85353b0f", "status": "affected", "versionType": "git"}, {"version": "ab6397f072e5", "lessThan": "1ac9fb84bc7e", "status": "affected", "versionType": "git"}, {"version": "859054147318", "lessThan": "13114dc55430", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "6.6.18", "lessThan": "6.6.21", "status": "affected", "versionType": "semver"}, {"version": "6.7.6", "lessThan": "6.7.9", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89"}, {"url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe"}, {"url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1"}, {"url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0"}], "title": "tls: fix use-after-free on failed backlog decryption", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T20:01:08.576744Z", "id": "CVE-2024-26800", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:01:16.218Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.534Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.534Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26800", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-31T20:01:08.576744Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:01:12.999Z"}}], "cna": {"title": "tls: fix use-after-free on failed backlog decryption", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "cd1bbca03f3c", "lessThan": "f2b85a4cc763", "versionType": "git"}, {"status": "affected", "version": "13eca403876b", "lessThan": "81be85353b0f", "versionType": "git"}, {"status": "affected", "version": "ab6397f072e5", "lessThan": "1ac9fb84bc7e", "versionType": "git"}, {"status": "affected", "version": "859054147318", "lessThan": "13114dc55430", "versionType": "git"}], "programFiles": ["net/tls/tls_sw.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.6.18", "lessThan": "6.6.21", "versionType": "custom"}, {"status": "affected", "version": "6.7.6", "lessThan": "6.7.9", "versionType": "custom"}], "programFiles": ["net/tls/tls_sw.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89"}, {"url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe"}, {"url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1"}, {"url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:23:00.056Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26800", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:14:13.534Z", "dateReserved": "2024-02-19T14:20:24.179Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-04T08:20:28.554Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tls: corrige el use-after-free en el descifrado fallido del trabajo pendiente Cuando la solicitud de descifrado va al trabajo pendiente y crypto_aead_decrypt devuelve -EBUSY, tls_do_decryption esperar\u00e1 hasta que se hayan completado todos los descifrados as\u00edncronos. Si uno de ellos falla, tls_do_decryption devolver\u00e1 -EBADMSG y tls_decrypt_sg salta a la ruta del error, liberando todas las p\u00e1ginas. Pero las p\u00e1ginas se pasaron a la devoluci\u00f3n de llamada as\u00edncrona y tls_decrypt_done ya las public\u00f3. El \u00fanico caso as\u00edncrono verdadero es cuando crypto_aead_decrypt devuelve -EINPROGRESS. Con -EBUSY, ya esperamos para poder decirle a tls_sw_recvmsg que los datos est\u00e1n disponibles para copia inmediata, pero debemos notificar a tls_decrypt_sg (a trav\u00e9s del nuevo indicador ->async_done) que la memoria ya ha sido liberada."}], "id": "CVE-2024-26800", "lastModified": "2024-04-04T14:15:09.897", "metrics": {}, "published": "2024-04-04T09:15:09.003", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tls: fix use-after-free on failed backlog decryption", "id": "2273472", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273472"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntls: fix use-after-free on failed backlog decryption\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\nThe only true async case is when crypto_aead_decrypt returns\n-EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released."], "name": "CVE-2024-26800", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26800\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26800\nhttps://lore.kernel.org/linux-cve-announce/2024040403-CVE-2024-26800-0bf4@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 6.6.21, kernel 6.7.9"}