{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49996", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T12:17:06.056Z", "datePublished": "2024-10-21T18:02:37.046Z", "dateUpdated": "2024-11-05T09:53:09.487Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:53:09.487Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/reparse.c"], "versions": [{"version": "d5ecebc4900d", "lessThan": "c6db81c550ce", "status": "affected", "versionType": "git"}, {"version": "d5ecebc4900d", "lessThan": "803b3a39cb09", "status": "affected", "versionType": "git"}, {"version": "d5ecebc4900d", "lessThan": "c173d47b69f0", "status": "affected", "versionType": "git"}, {"version": "d5ecebc4900d", "lessThan": "e2a8910af016", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/reparse.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.55", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.14", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07"}, {"url": "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919"}, {"url": "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9"}, {"url": "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404"}], "title": "cifs: Fix buffer overflow when parsing NFS reparse points", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49996", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:30:36.265660Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:38:41.853Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49996", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:30:36.265660Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:30:39.403Z"}}], "cna": {"title": "cifs: Fix buffer overflow when parsing NFS reparse points", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "d5ecebc4900d", "lessThan": "c6db81c550ce", "versionType": "git"}, {"status": "affected", "version": "d5ecebc4900d", "lessThan": "803b3a39cb09", "versionType": "git"}, {"status": "affected", "version": "d5ecebc4900d", "lessThan": "c173d47b69f0", "versionType": "git"}, {"status": "affected", "version": "d5ecebc4900d", "lessThan": "e2a8910af016", "versionType": "git"}], "programFiles": ["fs/smb/client/reparse.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.3"}, {"status": "unaffected", "version": "0", "lessThan": "5.3", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.55", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.14", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11.3", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12-rc2", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/client/reparse.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07"}, {"url": "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919"}, {"url": "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9"}, {"url": "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev()."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:53:09.487Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49996", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:53:09.487Z", "dateReserved": "2024-10-21T12:17:06.056Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T18:02:37.046Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "93FE9DDB-76BE-4920-9078-D8278AF553B3", "versionEndExcluding": "6.6.55", "versionStartIncluding": "5.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C16BCE0-FFA0-4599-BE0A-1FD65101C021", "versionEndExcluding": "6.10.14", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: Se corrige el desbordamiento de b\u00fafer al analizar los puntos de an\u00e1lisis de NFS ReparseDataLength es la suma del tama\u00f1o de InodeType y el tama\u00f1o de DataBuffer. Por lo tanto, para obtener el tama\u00f1o de DataBuffer, es necesario restar el tama\u00f1o de InodeType de ReparseDataLength. La funci\u00f3n cifs_strndup_from_utf16() est\u00e1 accediendo actualmente a buf->DataBuffer en la posici\u00f3n despu\u00e9s del final del b\u00fafer porque no resta el tama\u00f1o de InodeType de la longitud. Solucione este problema y reste correctamente la variable len. El miembro InodeType solo est\u00e1 presente cuando el b\u00fafer de an\u00e1lisis es lo suficientemente grande. Verifique ReparseDataLength antes de acceder a InodeType para evitar otro acceso no v\u00e1lido a la memoria. Los valores rdev principales y secundarios tambi\u00e9n est\u00e1n presentes solo cuando el b\u00fafer de an\u00e1lisis es lo suficientemente grande. Verifique el tama\u00f1o del b\u00fafer de an\u00e1lisis antes de llamar a reparse_mkdev()."}], "id": "CVE-2024-49996", "lastModified": "2024-10-25T19:56:10.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T18:15:19.760", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: cifs: Fix buffer overflow when parsing NFS reparse points", "id": "2320447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320447"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncifs: Fix buffer overflow when parsing NFS reparse points\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev()."], "name": "CVE-2024-49996", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-49996\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49996\nhttps://lore.kernel.org/linux-cve-announce/2024102138-CVE-2024-49996-0d29@gregkh/T"], "threat_severity": "Moderate"}