{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40989", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.605Z", "datePublished": "2024-07-12T12:37:33.823Z", "dateUpdated": "2024-11-05T09:34:35.776Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:34:35.776Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/vgic/vgic-init.c", "arch/arm64/kvm/vgic/vgic-mmio-v3.c", "arch/arm64/kvm/vgic/vgic.h"], "versions": [{"version": "e5a35635464b", "lessThan": "68df4fc449fc", "status": "affected", "versionType": "git"}, {"version": "e5a35635464b", "lessThan": "48bb62859d47", "status": "affected", "versionType": "git"}, {"version": "e5a35635464b", "lessThan": "152b4123f21e", "status": "affected", "versionType": "git"}, {"version": "e5a35635464b", "lessThan": "0d92e4a7ffd5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/vgic/vgic-init.c", "arch/arm64/kvm/vgic/vgic-mmio-v3.c", "arch/arm64/kvm/vgic/vgic.h"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.96", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.36", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.7", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77"}, {"url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c"}, {"url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76"}, {"url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8"}], "title": "KVM: arm64: Disassociate vcpus from redistributor region on teardown", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.897Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:01:54.595799Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:20.480Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.897Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:01:54.595799Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:22.092Z"}}], "cna": {"title": "KVM: arm64: Disassociate vcpus from redistributor region on teardown", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "e5a35635464b", "lessThan": "68df4fc449fc", "versionType": "git"}, {"status": "affected", "version": "e5a35635464b", "lessThan": "48bb62859d47", "versionType": "git"}, {"status": "affected", "version": "e5a35635464b", "lessThan": "152b4123f21e", "versionType": "git"}, {"status": "affected", "version": "e5a35635464b", "lessThan": "0d92e4a7ffd5", "versionType": "git"}], "programFiles": ["arch/arm64/kvm/vgic/vgic-init.c", "arch/arm64/kvm/vgic/vgic-mmio-v3.c", "arch/arm64/kvm/vgic/vgic.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.13"}, {"status": "unaffected", "version": "0", "lessThan": "5.13", "versionType": "custom"}, {"status": "unaffected", "version": "6.1.96", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.36", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.7", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["arch/arm64/kvm/vgic/vgic-init.c", "arch/arm64/kvm/vgic/vgic-mmio-v3.c", "arch/arm64/kvm/vgic/vgic.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77"}, {"url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c"}, {"url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76"}, {"url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:52:53.606Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40989", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:20.480Z", "dateReserved": "2024-07-12T12:17:45.605Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:37:33.823Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\n\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: arm64: desasociar vcpus de la regi\u00f3n del redistribuidor al desmantelar Al desmantelar una regi\u00f3n de redistribuidor, aseg\u00farese de que no tengamos ning\u00fan puntero colgante a esa regi\u00f3n almacenado en una vcpu."}], "id": "CVE-2024-40989", "lastModified": "2024-07-12T16:34:58.687", "metrics": {}, "published": "2024-07-12T13:15:20.310", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/152b4123f21e6aff31cea01158176ad96a999c76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/48bb62859d47c5c4197a8c01128d0fa4f46ee58c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/68df4fc449fcc24347209e500ce26d5816705a77"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:7001", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7000", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.22.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: KVM: arm64: Disassociate vcpus from redistributor region on teardown", "id": "2297573", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297573"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H", "status": "verified"}, "cwe": "CWE-825", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: arm64: Disassociate vcpus from redistributor region on teardown\nWhen tearing down a redistributor region, make sure we don't have\nany dangling pointer to that region stored in a vcpu.", "A vulnerability was found in the Linux kernel's KVM for ARM64 within the vgic-init.c, vgic-mmio-v3.c, and vgic.h files. The virtual vCPUs may retain dangling pointers in a redistributor region after they have been torn down, leading to potential memory corruption."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40989", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40989\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40989\nhttps://lore.kernel.org/linux-cve-announce/2024071249-CVE-2024-40989-c8da@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.96, kernel 6.6.36, kernel 6.9.7, kernel 6.10-rc5"}