CVE-2024-26809 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path").

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c
https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af
https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b
https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2
https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee
https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144
https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2
https://lore.kernel.org/linux-cve-announce/2024040401-CVE-2024-26809-b0d1@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26809
https://www.cve.org/CVERecord?id=CVE-2024-26809

History

Tue, 05 Nov 2024 10:45:00 +0000

Type	Values Removed	Values Added
References	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-04T09:51:51.245Z

Updated: 2024-11-05T09:16:13.839Z

Reserved: 2024-02-19T14:20:24.179Z

Link: CVE-2024-26809

Vulnrichment

Updated: 2024-08-02T00:14:13.546Z

NVD

Status : Awaiting Analysis

Published: 2024-04-04T10:15:09.820

Modified: 2024-11-05T10:15:51.820

Link: CVE-2024-26809

Redhat

Severity : Moderate

Publid Date: 2024-04-04T00:00:00Z

Links: CVE-2024-26809 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26809", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.179Z", "datePublished": "2024-04-04T09:51:51.245Z", "dateUpdated": "2024-11-05T09:16:13.839Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:16:13.839Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\")."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nft_set_pipapo.c"], "versions": [{"version": "4a6430b99f67", "lessThan": "b36b83297ff4", "status": "affected", "versionType": "git"}, {"version": "5ccecafc728b", "lessThan": "362508506bf5", "status": "affected", "versionType": "git"}, {"version": "9827a0e6e23b", "lessThan": "5ad233dc731a", "status": "affected", "versionType": "git"}, {"version": "9827a0e6e23b", "lessThan": "ff9005077141", "status": "affected", "versionType": "git"}, {"version": "9827a0e6e23b", "lessThan": "821e28d5b506", "status": "affected", "versionType": "git"}, {"version": "9827a0e6e23b", "lessThan": "9384b4d85c46", "status": "affected", "versionType": "git"}, {"version": "9827a0e6e23b", "lessThan": "b0e256f3dd2b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nft_set_pipapo.c"], "versions": [{"version": "5.19", "status": "affected"}, {"version": "0", "lessThan": "5.19", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.214", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.153", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.83", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.23", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.11", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.2", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144"}, {"url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c"}, {"url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af"}, {"url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2"}, {"url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b"}, {"url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2"}, {"url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee"}], "title": "netfilter: nft_set_pipapo: release elements in clone only from destroy path", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.546Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:50:40.137148Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:44.659Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.546Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:50:40.137148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.457Z"}}], "cna": {"title": "netfilter: nft_set_pipapo: release elements in clone only from destroy path", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4a6430b99f67", "lessThan": "b36b83297ff4", "versionType": "git"}, {"status": "affected", "version": "5ccecafc728b", "lessThan": "362508506bf5", "versionType": "git"}, {"status": "affected", "version": "9827a0e6e23b", "lessThan": "5ad233dc731a", "versionType": "git"}, {"status": "affected", "version": "9827a0e6e23b", "lessThan": "ff9005077141", "versionType": "git"}, {"status": "affected", "version": "9827a0e6e23b", "lessThan": "821e28d5b506", "versionType": "git"}, {"status": "affected", "version": "9827a0e6e23b", "lessThan": "9384b4d85c46", "versionType": "git"}, {"status": "affected", "version": "9827a0e6e23b", "lessThan": "b0e256f3dd2b", "versionType": "git"}], "programFiles": ["net/netfilter/nft_set_pipapo.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.19"}, {"status": "unaffected", "version": "0", "lessThan": "5.19", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.214", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.153", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.83", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.23", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.11", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.2", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/netfilter/nft_set_pipapo.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144"}, {"url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c"}, {"url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af"}, {"url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2"}, {"url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b"}, {"url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2"}, {"url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\")."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:16:13.839Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26809", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:16:13.839Z", "dateReserved": "2024-02-19T14:20:24.179Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-04T09:51:51.245Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\")."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nft_set_pipapo: libera elementos en el clon solo desde la ruta de destrucci\u00f3n. El clon ya siempre proporciona una vista actual de la tabla de b\u00fasqueda, \u00fasala para destruir el conjunto; de lo contrario, es posible destruir elementos. dos veces. Esta soluci\u00f3n requiere: 212ed75dc5fb (\"netfilter: nf_tables: integrar pipapo en el protocolo de confirmaci\u00f3n\") que vino despu\u00e9s: 9827a0e6e23b (\"netfilter: nft_set_pipapo: liberar elementos en clon desde la ruta de cancelaci\u00f3n\")."}], "id": "CVE-2024-26809", "lastModified": "2024-11-05T10:15:51.820", "metrics": {}, "published": "2024-04-04T10:15:09.820", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: nft_set_pipapo: release elements in clone only from destroy path", "id": "2273402", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273402"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\nThis fix requires:\n212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\nwhich came after:\n9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", "A vulnerability was found in the Linux kernel's Netfilter subsystem. More specifically, the issue is related to the `nft_set_pipapo` function, where releasing elements from cloned structures occurs outside the intended destroy path. This improper handling could lead to resource leaks or stability issues."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-26809", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26809\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26809\nhttps://lore.kernel.org/linux-cve-announce/2024040401-CVE-2024-26809-b0d1@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.10.214, kernel 5.15.153, kernel 6.1.83, kernel 6.6.23, kernel 6.7.11, kernel 6.8.2, kernel 6.9-rc1"}