{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35880", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.111Z", "datePublished": "2024-05-19T08:34:37.262Z", "dateUpdated": "2024-08-02T03:21:48.591Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:30:36.264Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: hold io_buffer_list reference over mmap\n\nIf we look up the kbuf, ensure that it doesn't get unregistered until\nafter we're done with it. Since we're inside mmap, we cannot safely use\nthe io_uring lock. Rely on the fact that we can lookup the buffer list\nunder RCU now and grab a reference to it, preventing it from being\nunregistered until we're done with it. The lookup returns the\nio_buffer_list directly with it referenced."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/io_uring.c", "io_uring/kbuf.c", "io_uring/kbuf.h"], "versions": [{"version": "09f7520048ea", "lessThan": "65938e81df21", "status": "affected", "versionType": "git"}, {"version": "5cf4f52e6d8a", "lessThan": "5fd8e2359498", "status": "affected", "versionType": "git"}, {"version": "5cf4f52e6d8a", "lessThan": "561e4f9451d6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/io_uring.c", "io_uring/kbuf.c", "io_uring/kbuf.h"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.26", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8.5", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/65938e81df2197203bda4b9a0c477e7987218d66"}, {"url": "https://git.kernel.org/stable/c/5fd8e2359498043e0b5329a05f02d10a9eb91eb9"}, {"url": "https://git.kernel.org/stable/c/561e4f9451d65fc2f7eef564e0064373e3019793"}], "title": "io_uring/kbuf: hold io_buffer_list reference over mmap", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"affected": [{"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:6.7:-:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "6.7", "status": "affected"}]}, {"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "09f7520048ea", "status": "affected", "lessThan": "65938e81df21", "versionType": "git"}, {"version": "5cf4f52e6d8a", "status": "affected", "lessThan": "5fd8e2359498", "versionType": "git"}, {"version": "5cf4f52e6d8a", "status": "affected", "lessThan": "561e4f9451d6", "versionType": "git"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T03:55:54.843818Z", "id": "CVE-2024-35880", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T13:23:38.879Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.591Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/65938e81df2197203bda4b9a0c477e7987218d66", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5fd8e2359498043e0b5329a05f02d10a9eb91eb9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/561e4f9451d65fc2f7eef564e0064373e3019793", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-01T03:55:54.843818Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:linux:linux_kernel:6.7:-:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "6.7"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "09f7520048ea", "lessThan": "65938e81df21", "versionType": "git"}, {"status": "affected", "version": "5cf4f52e6d8a", "lessThan": "5fd8e2359498", "versionType": "git"}, {"status": "affected", "version": "5cf4f52e6d8a", "lessThan": "561e4f9451d6", "versionType": "git"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.769Z"}}], "cna": {"title": "io_uring/kbuf: hold io_buffer_list reference over mmap", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "09f7520048ea", "lessThan": "65938e81df21", "versionType": "git"}, {"status": "affected", "version": "5cf4f52e6d8a", "lessThan": "5fd8e2359498", "versionType": "git"}, {"status": "affected", "version": "5cf4f52e6d8a", "lessThan": "561e4f9451d6", "versionType": "git"}], "programFiles": ["io_uring/io_uring.c", "io_uring/kbuf.c", "io_uring/kbuf.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.7"}, {"status": "unaffected", "version": "0", "lessThan": "6.7", "versionType": "custom"}, {"status": "unaffected", "version": "6.6.26", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.5", "versionType": "custom", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["io_uring/io_uring.c", "io_uring/kbuf.c", "io_uring/kbuf.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/65938e81df2197203bda4b9a0c477e7987218d66"}, {"url": "https://git.kernel.org/stable/c/5fd8e2359498043e0b5329a05f02d10a9eb91eb9"}, {"url": "https://git.kernel.org/stable/c/561e4f9451d65fc2f7eef564e0064373e3019793"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: hold io_buffer_list reference over mmap\n\nIf we look up the kbuf, ensure that it doesn't get unregistered until\nafter we're done with it. Since we're inside mmap, we cannot safely use\nthe io_uring lock. Rely on the fact that we can lookup the buffer list\nunder RCU now and grab a reference to it, preventing it from being\nunregistered until we're done with it. The lookup returns the\nio_buffer_list directly with it referenced."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:30:36.264Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35880", "state": "PUBLISHED", "dateUpdated": "2024-08-01T13:23:38.879Z", "dateReserved": "2024-05-17T13:50:33.111Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-19T08:34:37.262Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: hold io_buffer_list reference over mmap\n\nIf we look up the kbuf, ensure that it doesn't get unregistered until\nafter we're done with it. Since we're inside mmap, we cannot safely use\nthe io_uring lock. Rely on the fact that we can lookup the buffer list\nunder RCU now and grab a reference to it, preventing it from being\nunregistered until we're done with it. The lookup returns the\nio_buffer_list directly with it referenced."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring/kbuf: mantiene la referencia io_buffer_list sobre mmap. Si buscamos el kbuf, nos aseguramos de que no se cancele el registro hasta que hayamos terminado con \u00e9l. Como estamos dentro de mmap, no podemos usar de forma segura el bloqueo io_uring. Conf\u00ede en el hecho de que ahora podemos buscar la lista de b\u00fafer en RCU y obtener una referencia a ella, evitando que se cancele el registro hasta que hayamos terminado. La b\u00fasqueda devuelve io_buffer_list directamente con su referencia."}], "id": "CVE-2024-35880", "lastModified": "2024-05-20T13:00:04.957", "metrics": {}, "published": "2024-05-19T09:15:09.283", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/561e4f9451d65fc2f7eef564e0064373e3019793"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5fd8e2359498043e0b5329a05f02d10a9eb91eb9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65938e81df2197203bda4b9a0c477e7987218d66"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: io_uring/kbuf: hold io_buffer_list reference over mmap", "id": "2281713", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281713"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nio_uring/kbuf: hold io_buffer_list reference over mmap\nIf we look up the kbuf, ensure that it doesn't get unregistered until\nafter we're done with it. Since we're inside mmap, we cannot safely use\nthe io_uring lock. Rely on the fact that we can lookup the buffer list\nunder RCU now and grab a reference to it, preventing it from being\nunregistered until we're done with it. The lookup returns the\nio_buffer_list directly with it referenced."], "name": "CVE-2024-35880", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35880\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35880\nhttps://lore.kernel.org/linux-cve-announce/2024051944-CVE-2024-35880-6ffb@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.6.26, kernel 6.8.5, kernel 6.9"}