CVE-2024-26980 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size validation could be skipped. if request size is smaller than sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in smb2_allocate_rsp_buf(). This patch allocate response buffer after decrypting transform request. smb3_decrypt_req() will validate transform request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085
https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1
https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248
https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20
https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325
https://lore.kernel.org/linux-cve-announce/2024050141-CVE-2024-26980-4b16@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26980
https://www.cve.org/CVERecord?id=CVE-2024-26980

History

Tue, 24 Sep 2024 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-01T05:26:56.744Z

Updated: 2024-11-06T15:14:12.175Z

Reserved: 2024-02-19T14:20:24.204Z

Link: CVE-2024-26980

Vulnrichment

Updated: 2024-08-02T00:21:05.907Z

NVD

Status : Awaiting Analysis

Published: 2024-05-01T06:15:15.423

Modified: 2024-11-06T16:35:13.217

Link: CVE-2024-26980

Redhat

Severity : Moderate

Publid Date: 2024-05-01T00:00:00Z

Links: CVE-2024-26980 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26980", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.204Z", "datePublished": "2024-05-01T05:26:56.744Z", "dateUpdated": "2024-11-06T15:14:12.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:19:19.291Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/server.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "da2140137260", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "b80ba648714e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "3160d9734453", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "0977f89722ec", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "c119f4ede3fa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/server.c"], "versions": [{"version": "5.15.159", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.88", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.29", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.8", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325"}, {"url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248"}, {"url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1"}, {"url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085"}, {"url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20"}], "title": "ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T18:49:02.279322Z", "id": "CVE-2024-26980", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T15:14:12.175Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.907Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.907Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-26980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T18:49:02.279322Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:49:24.288Z"}}], "cna": {"title": "ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "da2140137260", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "b80ba648714e", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "3160d9734453", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "0977f89722ec", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "c119f4ede3fa", "versionType": "git"}], "programFiles": ["fs/smb/server/server.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.15.159", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.88", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.29", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.8", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/server/server.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325"}, {"url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248"}, {"url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1"}, {"url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085"}, {"url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf()."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:19:19.291Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26980", "state": "PUBLISHED", "dateUpdated": "2024-11-06T15:14:12.175Z", "dateReserved": "2024-02-19T14:20:24.204Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-01T05:26:56.744Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ksmbd: corrige slab-out-of-bounds en smb2_allocate_rsp_buf Si ->ProtocolId es SMB2_TRANSFORM_PROTO_NUM, se podr\u00eda omitir la validaci\u00f3n del tama\u00f1o de la solicitud smb2. Si el tama\u00f1o de la solicitud es menor que sizeof (struct smb2_query_info_req), la lectura de losa fuera de los l\u00edmites puede ocurrir en smb2_allocate_rsp_buf(). Este parche asigna un b\u00fafer de respuesta despu\u00e9s de descifrar la solicitud de transformaci\u00f3n. smb3_decrypt_req() validar\u00e1 el tama\u00f1o de la solicitud de transformaci\u00f3n y evitar\u00e1 la losa fuera de los l\u00edmites en smb2_allocate_rsp_buf()."}], "id": "CVE-2024-26980", "lastModified": "2024-11-06T16:35:13.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-01T06:15:15.423", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", "id": "2278341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278341"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", "A flaw was found in the Linux kernel's ksmbd module. Improper size validation can trigger an out-of-bounds read, resulting in a denial of service."], "name": "CVE-2024-26980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26980\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26980\nhttps://lore.kernel.org/linux-cve-announce/2024050141-CVE-2024-26980-4b16@gregkh/T"], "statement": "The ksmbd module is not built in the kernel shipped in Red Hat Enterprise Linux, so it is not affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.88, kernel 6.6.29, kernel 6.8.8, kernel 6.9-rc6"}