{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26826", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.181Z", "datePublished": "2024-04-17T09:43:51.741Z", "dateUpdated": "2024-09-11T17:33:30.420Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:23:25.185Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "1e1d9d6f119c", "lessThan": "6f95120f898b", "status": "affected", "versionType": "git"}, {"version": "1e1d9d6f119c", "lessThan": "6673d9f1c2cd", "status": "affected", "versionType": "git"}, {"version": "1e1d9d6f119c", "lessThan": "b609c783c535", "status": "affected", "versionType": "git"}, {"version": "1e1d9d6f119c", "lessThan": "624902eab7ab", "status": "affected", "versionType": "git"}, {"version": "1e1d9d6f119c", "lessThan": "b6c620dc43cc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/protocol.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.149", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.79", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.18", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7.6", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"}, {"url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"}, {"url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"}, {"url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"}, {"url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"}], "title": "mptcp: fix data re-injection from stale subflow", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.531Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26826", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:49:00.883183Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:30.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.531Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26826", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:49:00.883183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:17.040Z"}}], "cna": {"title": "mptcp: fix data re-injection from stale subflow", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1e1d9d6f119c", "lessThan": "6f95120f898b", "versionType": "git"}, {"status": "affected", "version": "1e1d9d6f119c", "lessThan": "6673d9f1c2cd", "versionType": "git"}, {"status": "affected", "version": "1e1d9d6f119c", "lessThan": "b609c783c535", "versionType": "git"}, {"status": "affected", "version": "1e1d9d6f119c", "lessThan": "624902eab7ab", "versionType": "git"}, {"status": "affected", "version": "1e1d9d6f119c", "lessThan": "b6c620dc43cc", "versionType": "git"}], "programFiles": ["net/mptcp/protocol.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.149", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.79", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.18", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.6", "versionType": "custom", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/mptcp/protocol.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"}, {"url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"}, {"url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"}, {"url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"}, {"url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:23:25.185Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26826", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:33:30.420Z", "dateReserved": "2024-02-19T14:20:24.181Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-17T09:43:51.741Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: corrige la reinyecci\u00f3n de datos desde un subflujo obsoleto Cuando MPTCP PM detecta que un subflujo est\u00e1 obsoleto, todo el programador de paquetes debe reinyectar todos los datos no codificados del nivel mptcp. Para evitar adquirir bloqueos innecesarios, primero intenta verificar si hay datos no bloqueados presentes en la cola RTX, pero dicha verificaci\u00f3n actualmente no funciona, ya que utiliza un asistente espec\u00edfico de TCP en un socket MPTCP. Curiosamente, los fuzzers y los comprobadores est\u00e1ticos est\u00e1n contentos, ya que la memoria a la que se accede todav\u00eda pertenece a la estructura mptcp_sock, e incluso desde una perspectiva funcional la recuperaci\u00f3n se complet\u00f3 con \u00e9xito, ya que la prueba de acceso directo siempre fallaba. Un cambio reciente de TCP no relacionado (commit d5fed5addb2b (\"tcp: reorganizar las variables de ruta r\u00e1pida de tcp_sock\")) expuso el problema, ya que la reorganizaci\u00f3n del campo tcp hace que el c\u00f3digo mptcp siempre omita la reinecci\u00f3n. Solucione el problema eliminando la llamada falsa: estamos en un camino lento, la optimizaci\u00f3n inicial demostr\u00f3 una vez m\u00e1s ser mala."}], "id": "CVE-2024-26826", "lastModified": "2024-04-17T12:48:07.510", "metrics": {}, "published": "2024-04-17T10:15:09.183", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:4352", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4211", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.8.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:5065", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.115.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5065", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.115.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-07T00:00:00Z"}, {"advisory": "RHSA-2024:5065", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.115.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-07T00:00:00Z"}], "bugzilla": {"description": "kernel: mptcp: fix data re-injection from stale subflow", "id": "2275604", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275604"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmptcp: fix data re-injection from stale subflow\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil."], "name": "CVE-2024-26826", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26826\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26826\nhttps://lore.kernel.org/linux-cve-announce/2024041703-CVE-2024-26826-b984@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.149, kernel 6.1.79, kernel 6.6.18, kernel 6.7.6, kernel 6.8"}