CVE-2024-26954 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() If ->NameOffset of smb2_create_req is smaller than Buffer offset of smb2_create_req, slab-out-of-bounds read can happen from smb2_open. This patch set the minimum value of the name offset to the buffer offset to validate name length of smb2_create_req().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57
https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178
https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa
https://lore.kernel.org/linux-cve-announce/2024050128-CVE-2024-26954-18d5@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26954
https://www.cve.org/CVERecord?id=CVE-2024-26954

History

Fri, 20 Sep 2024 23:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-01T05:18:47.428Z

Updated: 2024-11-05T09:18:50.399Z

Reserved: 2024-02-19T14:20:24.200Z

Link: CVE-2024-26954

Vulnrichment

Updated: 2024-08-02T00:21:05.749Z

NVD

Status : Awaiting Analysis

Published: 2024-05-01T06:15:11.583

Modified: 2024-05-01T13:02:20.750

Link: CVE-2024-26954

Redhat

Severity : Moderate

Publid Date: 2024-05-01T00:00:00Z

Links: CVE-2024-26954 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26954", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.200Z", "datePublished": "2024-05-01T05:18:47.428Z", "dateUpdated": "2024-11-05T09:18:50.399Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:18:50.399Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2misc.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "3b8da67191e9", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "4f97e6a9d62c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "a80a486d72e2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2misc.c"], "versions": [{"version": "6.7.12", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.3", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57"}, {"url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178"}, {"url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa"}], "title": "ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.749Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26954", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:45:29.977526Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:48.598Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.749Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26954", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:45:29.977526Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.863Z"}}], "cna": {"title": "ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "3b8da67191e9", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "4f97e6a9d62c", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "a80a486d72e2", "versionType": "git"}], "programFiles": ["fs/smb/server/smb2misc.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "6.7.12", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.3", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/server/smb2misc.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57"}, {"url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178"}, {"url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req()."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:18:50.399Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26954", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:18:50.399Z", "dateReserved": "2024-02-19T14:20:24.200Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-01T05:18:47.428Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "kernel: ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()", "id": "2278191", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278191"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", "A flaw was found in the ksmbd module in the Linux kernel. Under some conditions, an out-of-bounds read can occur in the smb_strndup_from_utf16 function, resulting in a denial of service."], "name": "CVE-2024-26954", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26954\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26954\nhttps://lore.kernel.org/linux-cve-announce/2024050128-CVE-2024-26954-18d5@gregkh/T"], "statement": "The ksmbd module is not built in the kernel shipped in Red Hat Enterprise Linux, so it is not affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.7.12, kernel 6.8.3, kernel 6.9-rc1"}