{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39482", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-25T14:23:23.746Z", "datePublished": "2024-07-05T06:55:10.599Z", "dateUpdated": "2024-08-02T04:26:15.917Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:50:18.433Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/md/bcache/bset.c", "drivers/md/bcache/bset.h", "drivers/md/bcache/btree.c", "drivers/md/bcache/super.c", "drivers/md/bcache/sysfs.c", "drivers/md/bcache/writeback.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "2c3d7b03b658", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "5a1922adc579", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "934e1e433185", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "6479b9f41583", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "0c31344e22dd", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "3a861560ccb3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/md/bcache/bset.c", "drivers/md/bcache/bset.h", "drivers/md/bcache/btree.c", "drivers/md/bcache/super.c", "drivers/md/bcache/sysfs.c", "drivers/md/bcache/writeback.c"], "versions": [{"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.94", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.34", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.5", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b"}, {"url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023"}, {"url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02"}, {"url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148"}, {"url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671"}, {"url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31"}], "title": "bcache: fix variable length array abuse in btree_iter", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T17:54:07.988323Z", "id": "CVE-2024-39482", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T17:54:15.435Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.917Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.917Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T17:54:07.988323Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T17:54:12.398Z"}}], "cna": {"title": "bcache: fix variable length array abuse in btree_iter", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "2c3d7b03b658", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "5a1922adc579", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "934e1e433185", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "6479b9f41583", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "0c31344e22dd", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "3a861560ccb3", "versionType": "git"}], "programFiles": ["drivers/md/bcache/bset.c", "drivers/md/bcache/bset.h", "drivers/md/bcache/btree.c", "drivers/md/bcache/super.c", "drivers/md/bcache/sysfs.c", "drivers/md/bcache/writeback.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.10.221", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.162", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.94", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.34", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.5", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/md/bcache/bset.c", "drivers/md/bcache/bset.h", "drivers/md/bcache/btree.c", "drivers/md/bcache/super.c", "drivers/md/bcache/sysfs.c", "drivers/md/bcache/writeback.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b"}, {"url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023"}, {"url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02"}, {"url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148"}, {"url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671"}, {"url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:50:18.433Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39482", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:26:15.917Z", "dateReserved": "2024-06-25T14:23:23.746Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-05T06:55:10.599Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "520E9C39-AB38-4A1C-B857-2030B4982A71", "versionEndExcluding": "5.10.221", "versionStartIncluding": "5.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4626E4B7-D5F4-42CC-93A8-B73E6384273F", "versionEndExcluding": "5.15.162", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5A86346-2984-4261-AC12-29EACB186000", "versionEndExcluding": "6.1.94", "versionStartIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC0C6E24-8240-425A-BD1A-F78E6D3A67FC", "versionEndExcluding": "6.6.34", "versionStartIncluding": "6.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "54EDFD02-25E6-4BC8-9AD0-0A59881F400A", "versionEndExcluding": "6.9.5", "versionStartIncluding": "6.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix variable length array abuse in btree_iter\n\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\n\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bcache: corrige el abuso de matriz de longitud variable en btree_iter btree_iter se usa de dos maneras: ya sea asignado en la pila con un tama\u00f1o fijo MAX_BSETS, o desde un mempool con un tama\u00f1o din\u00e1mico basado en el conjunto de cach\u00e9 espec\u00edfico. Anteriormente, la estructura ten\u00eda una matriz de longitud fija de tama\u00f1o MAX_BSETS que estaba indexada fuera de los l\u00edmites para los iteradores de tama\u00f1o din\u00e1mico, lo que provoca que UBSAN se queje. Este parche utiliza el mismo enfoque que en sort_iter de bcachefs y divide el iterador en un btree_iter con un miembro de matriz flexible y un btree_iter_stack que incorpora un btree_iter as\u00ed como una matriz de datos de longitud fija."}], "id": "CVE-2024-39482", "lastModified": "2024-07-08T18:00:28.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-05T07:15:10.710", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/0c31344e22dd8d6b1394c6e4c41d639015bdc671"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/2c3d7b03b658dc8bfa6112b194b67b92a87e081b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/3a861560ccb35f2a4f0a4b8207fa7c2a35fc7f31"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/5a1922adc5798b7ec894cd3f197afb6f9591b023"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/6479b9f41583b013041943c4602e1ad61cec8148"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/934e1e4331859183a861f396d7dfaf33cb5afb02"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bcache: fix variable length array abuse in btree_iter", "id": "2296054", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296054"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbcache: fix variable length array abuse in btree_iter\nbtree_iter is used in two ways: either allocated on the stack with a\nfixed size MAX_BSETS, or from a mempool with a dynamic size based on the\nspecific cache set. Previously, the struct had a fixed-length array of\nsize MAX_BSETS which was indexed out-of-bounds for the dynamically-sized\niterators, which causes UBSAN to complain.\nThis patch uses the same approach as in bcachefs's sort_iter and splits\nthe iterator into a btree_iter with a flexible array member and a\nbtree_iter_stack which embeds a btree_iter as well as a fixed-length\ndata array."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-39482", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39482\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39482\nhttps://lore.kernel.org/linux-cve-announce/2024070520-CVE-2024-39482-8ed3@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.94, kernel 6.6.34, kernel 6.9.5, kernel 6.10-rc1"}