{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42108", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-29T15:50:41.176Z", "datePublished": "2024-07-30T07:46:03.517Z", "dateUpdated": "2024-09-11T17:33:07.014Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-30T07:46:03.517Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rswitch: Avoid use-after-free in rswitch_poll()\n\nThe use-after-free is actually in rswitch_tx_free(), which is inlined in\nrswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the\nsame pointer, the skb is first freed using dev_kfree_skb_any(), then the\nvalue in skb->len is used to update the interface statistics.\n\nLet's move around the instructions to use skb->len before the skb is\nfreed.\n\nThis bug is trivial to reproduce using KFENCE. It will trigger a splat\nevery few packets. A simple ARP request or ICMP echo request is enough."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/renesas/rswitch.c"], "versions": [{"version": "271e015b9153", "lessThan": "92cbbe775919", "status": "affected", "versionType": "git"}, {"version": "271e015b9153", "lessThan": "9a0c28efeec6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/renesas/rswitch.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.9", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b"}, {"url": "https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67"}], "title": "net: rswitch: Avoid use-after-free in rswitch_poll()", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.138Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:17:39.409257Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:07.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.138Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:17:39.409257Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:14.603Z"}}], "cna": {"title": "net: rswitch: Avoid use-after-free in rswitch_poll()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "271e015b9153", "lessThan": "92cbbe775919", "versionType": "git"}, {"status": "affected", "version": "271e015b9153", "lessThan": "9a0c28efeec6", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/renesas/rswitch.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.8"}, {"status": "unaffected", "version": "0", "lessThan": "6.8", "versionType": "custom"}, {"status": "unaffected", "version": "6.9.9", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/renesas/rswitch.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b"}, {"url": "https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rswitch: Avoid use-after-free in rswitch_poll()\n\nThe use-after-free is actually in rswitch_tx_free(), which is inlined in\nrswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the\nsame pointer, the skb is first freed using dev_kfree_skb_any(), then the\nvalue in skb->len is used to update the interface statistics.\n\nLet's move around the instructions to use skb->len before the skb is\nfreed.\n\nThis bug is trivial to reproduce using KFENCE. It will trigger a splat\nevery few packets. A simple ARP request or ICMP echo request is enough."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-30T07:46:03.517Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42108", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:33:07.014Z", "dateReserved": "2024-07-29T15:50:41.176Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-30T07:46:03.517Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5726EB4D-ED18-4DEC-B0C0-A525D33487E1", "versionEndExcluding": "6.9.9", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rswitch: Avoid use-after-free in rswitch_poll()\n\nThe use-after-free is actually in rswitch_tx_free(), which is inlined in\nrswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the\nsame pointer, the skb is first freed using dev_kfree_skb_any(), then the\nvalue in skb->len is used to update the interface statistics.\n\nLet's move around the instructions to use skb->len before the skb is\nfreed.\n\nThis bug is trivial to reproduce using KFENCE. It will trigger a splat\nevery few packets. A simple ARP request or ICMP echo request is enough."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: rswitch: Evite el use after free en rswitch_poll() El use after free est\u00e1 en realidad en rswitch_tx_free(), que est\u00e1 incluido en rswitch_poll(). Dado que `skb` y `gq->skbs[gq->dirty]` son de hecho el mismo puntero, el skb primero se libera usando dev_kfree_skb_any(), luego el valor en skb->len se usa para actualizar las estad\u00edsticas de la interfaz. Avancemos por las instrucciones para usar skb->len antes de liberar el skb. Este error es trivial de reproducir usando KFENCE. Activar\u00e1 un sonido cada pocos paquetes. Una simple solicitud ARP o una solicitud de eco ICMP es suficiente."}], "id": "CVE-2024-42108", "lastModified": "2024-08-21T20:52:35.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-30T08:15:03.333", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92cbbe7759193e3418f38d0d73f8fe125312c58b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9a0c28efeec6383ef22e97437616b920e7320b67"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: rswitch: Avoid use-after-free in rswitch_poll()", "id": "2301471", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301471"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet: rswitch: Avoid use-after-free in rswitch_poll()\nThe use-after-free is actually in rswitch_tx_free(), which is inlined in\nrswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the\nsame pointer, the skb is first freed using dev_kfree_skb_any(), then the\nvalue in skb->len is used to update the interface statistics.\nLet's move around the instructions to use skb->len before the skb is\nfreed.\nThis bug is trivial to reproduce using KFENCE. It will trigger a splat\nevery few packets. A simple ARP request or ICMP echo request is enough.", "A use-after-free was found in the Linux kernel network (Ethernet) card Renesas driver. This issue could allow a local user to crash the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-42108", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-42108\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42108\nhttps://lore.kernel.org/linux-cve-announce/2024073021-CVE-2024-42108-7e70@gregkh/T"], "statement": "Red Hat Enterprise Linux is not affected.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.9.9, kernel 6.10"}