{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26982", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.204Z", "datePublished": "2024-05-01T05:27:11.032Z", "dateUpdated": "2024-11-05T09:19:21.524Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:19:21.524Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/inode.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "be383effaee3", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "7def00ebc9f2", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "9253c54e01b6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/inode.c"], "versions": [{"version": "6.6.30", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.8", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"}, {"url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"}, {"url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"}], "title": "Squashfs: check the inode number is not the invalid value of zero", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.866Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:45:06.926436Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:42.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.866Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:45:06.926436Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.321Z"}}], "cna": {"title": "Squashfs: check the inode number is not the invalid value of zero", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "be383effaee3", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "7def00ebc9f2", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "9253c54e01b6", "versionType": "git"}], "programFiles": ["fs/squashfs/inode.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "6.6.30", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.8", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/squashfs/inode.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"}, {"url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"}, {"url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:19:21.524Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26982", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:19:21.524Z", "dateReserved": "2024-02-19T14:20:24.204Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-01T05:27:11.032Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: Squashfs: comprobar que el n\u00famero de inodo no sea el valor no v\u00e1lido de cero. Syskiller ha producido un acceso fuera de los l\u00edmites en fill_meta_index(). Ese acceso fuera de los l\u00edmites se debe en \u00faltima instancia a que el inodo tiene un n\u00famero de inodo con un valor no v\u00e1lido de cero, que no se verific\u00f3. La raz\u00f3n por la que esto causa el acceso fuera de los l\u00edmites se debe a la siguiente secuencia de eventos: 1. Se llama a Fill_meta_index() para asignar (a trav\u00e9s de vac\u00edo_meta_index()) y completar un \u00edndice de metadatos. Sin embargo, sufre un error de lectura de datos y se cancela, invalidando el \u00edndice de metadatos vac\u00edo reci\u00e9n devuelto. Para ello, establece el n\u00famero de inodo del \u00edndice en cero, lo que significa que no se utiliza (cero no es un n\u00famero de inodo v\u00e1lido). 2. Cuando posteriormente se vuelve a llamar a fill_meta_index() en otra operaci\u00f3n de lectura, localizar_meta_index() devuelve el \u00edndice anterior porque coincide con el n\u00famero de inodo de 0. Debido a que este \u00edndice ha sido devuelto, se espera que se haya completado, y porque no lo ha hecho. Si no lo ha sido, se realiza un acceso fuera de los l\u00edmites. Este parche agrega una verificaci\u00f3n de cordura que verifica que el n\u00famero de inodo no sea cero cuando se crea el inodo y devuelve -EINVAL si lo es. [phillip@squashfs.org.uk: correcci\u00f3n de espacios en blanco] Enlace: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk"}], "id": "CVE-2024-26982", "lastModified": "2024-11-21T09:03:32.917", "metrics": {}, "published": "2024-05-01T06:15:15.610", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:4352", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4211", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.8.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:6297", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.121.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6297", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.121.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:6297", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.121.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-09-04T00:00:00Z"}, {"advisory": "RHSA-2024:5255", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.67.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:4928", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.28.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-31T00:00:00Z"}, {"advisory": "RHSA-2024:4928", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.28.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-31T00:00:00Z"}, {"advisory": "RHSA-2024:4823", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.75.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4831", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}], "bugzilla": {"description": "kernel: Squashfs: check the inode number is not the invalid value of zero", "id": "2278337", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278337"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-125", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nSquashfs: check the inode number is not the invalid value of zero\nSyskiller has produced an out of bounds access in fill_meta_index().\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\nand fill a metadata index. It however suffers a data read error\nand aborts, invalidating the newly returned empty metadata index.\nIt does this by setting the inode number of the index to zero,\nwhich means unused (zero is not a valid inode number).\n2. When fill_meta_index() is subsequently called again on another\nread operation, locate_meta_index() returns the previous index\nbecause it matches the inode number of 0. Because this index\nhas been returned it is expected to have been filled, and because\nit hasn't been, an out of bounds access is performed.\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n[phillip@squashfs.org.uk: whitespace fix]\nLink: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", "A flaw was found in the squashfs module in the Linux kernel. A missing check of an inode number with an invalid value of zero can cause an out-of-bounds read and result in a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-26982", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26982\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26982\nhttps://lore.kernel.org/linux-cve-announce/2024050141-CVE-2024-26982-8675@gregkh/T"], "statement": "This vulnerability allows a local attacker to trigger an out-of-bounds read and cause a denial of service, impacting only the availability of the system. For this reason, it was rated with a Moderate severity.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.8.8, kernel 6.9-rc5"}