{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-50151", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T19:36:19.959Z", "datePublished": "2024-11-07T09:31:27.672Z", "dateUpdated": "2025-11-03T22:26:10.332Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:47:21.596Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOBs when building SMB2_IOCTL request\n\nWhen using encryption, either enforced by the server or when using\n'seal' mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\n\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst->iov[0].iov_base as shown below:\n\n mount.cifs //srv/share /mnt -o ...,seal\n ln -s $(perl -e \"print('a')for 1..1024\") /mnt/link\n\n BUG: KASAN: slab-out-of-bounds in\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n Write of size 4116 at addr ffff8881148fcab8 by task ln/859\n\n CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n 1.16.3-2.fc40 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n print_report+0x156/0x4d9\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n ? __virt_addr_valid+0x145/0x310\n ? __phys_addr+0x46/0x90\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_report+0xda/0x110\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_check_range+0x10f/0x1f0\n __asan_memcpy+0x3c/0x60\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n smb2_compound_op+0x238c/0x3840 [cifs]\n ? kasan_save_track+0x14/0x30\n ? kasan_save_free_info+0x3b/0x70\n ? vfs_symlink+0x1a1/0x2c0\n ? do_symlinkat+0x108/0x1c0\n ? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n ? kmem_cache_free+0x118/0x3e0\n ? cifs_get_writable_path+0xeb/0x1a0 [cifs]\n smb2_get_reparse_inode+0x423/0x540 [cifs]\n ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? __kmalloc_noprof+0x37c/0x480\n ? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\n cifs_symlink+0x24f/0x960 [cifs]\n ? __pfx_make_vfsuid+0x10/0x10\n ? __pfx_cifs_symlink+0x10/0x10 [cifs]\n ? make_vfsgid+0x6b/0xc0\n ? generic_permission+0x96/0x2d0\n vfs_symlink+0x1a1/0x2c0\n do_symlinkat+0x108/0x1c0\n ? __pfx_do_symlinkat+0x10/0x10\n ? strncpy_from_user+0xaa/0x160\n __x64_sys_symlinkat+0xb9/0xf0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f08d75c13bb"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/smb2pdu.c"], "versions": [{"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "6f0516ef1290da24b85461ed08a0938af7415e49", "status": "affected", "versionType": "git"}, {"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "ed31aba8ce93472d9e16f5cff844ae7c94e9601d", "status": "affected", "versionType": "git"}, {"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "e07d05b7f5ad9a503d9cab0afde2ab867bb65470", "status": "affected", "versionType": "git"}, {"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "2ef632bfb888d1a14f81c1703817951e0bec5531", "status": "affected", "versionType": "git"}, {"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "b209c3a0bc3ac172265c7fa8309e5d00654f2510", "status": "affected", "versionType": "git"}, {"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec", "status": "affected", "versionType": "git"}, {"version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "1ab60323c5201bef25f2a3dc0ccc404d9aca77f1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/smb2pdu.c"], "versions": [{"version": "5.0", "status": "affected"}, {"version": "0", "lessThan": "5.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.285", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.229", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.170", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.115", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.59", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.6", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.4.285"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.10.229"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.15.170"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.1.115"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.6.59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.11.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "6.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49"}, {"url": "https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d"}, {"url": "https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470"}, {"url": "https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531"}, {"url": "https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510"}, {"url": "https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec"}, {"url": "https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1"}], "title": "smb: client: fix OOBs when building SMB2_IOCTL request", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-50151", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-01T20:20:44.094146Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T20:27:13.291Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:26:10.332Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-50151", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-01T20:20:44.094146Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T15:17:56.350Z"}}], "cna": {"title": "smb: client: fix OOBs when building SMB2_IOCTL request", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "6f0516ef1290da24b85461ed08a0938af7415e49", "versionType": "git"}, {"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "ed31aba8ce93472d9e16f5cff844ae7c94e9601d", "versionType": "git"}, {"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "e07d05b7f5ad9a503d9cab0afde2ab867bb65470", "versionType": "git"}, {"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "2ef632bfb888d1a14f81c1703817951e0bec5531", "versionType": "git"}, {"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "b209c3a0bc3ac172265c7fa8309e5d00654f2510", "versionType": "git"}, {"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec", "versionType": "git"}, {"status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "lessThan": "1ab60323c5201bef25f2a3dc0ccc404d9aca77f1", "versionType": "git"}], "programFiles": ["fs/smb/client/smb2pdu.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.0"}, {"status": "unaffected", "version": "0", "lessThan": "5.0", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.285", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.229", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.170", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.115", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.59", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.11.6", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/smb/client/smb2pdu.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49"}, {"url": "https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d"}, {"url": "https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470"}, {"url": "https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531"}, {"url": "https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510"}, {"url": "https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec"}, {"url": "https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOBs when building SMB2_IOCTL request\n\nWhen using encryption, either enforced by the server or when using\n'seal' mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\n\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst->iov[0].iov_base as shown below:\n\n mount.cifs //srv/share /mnt -o ...,seal\n ln -s $(perl -e \"print('a')for 1..1024\") /mnt/link\n\n BUG: KASAN: slab-out-of-bounds in\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n Write of size 4116 at addr ffff8881148fcab8 by task ln/859\n\n CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n 1.16.3-2.fc40 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n print_report+0x156/0x4d9\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n ? __virt_addr_valid+0x145/0x310\n ? __phys_addr+0x46/0x90\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_report+0xda/0x110\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_check_range+0x10f/0x1f0\n __asan_memcpy+0x3c/0x60\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n smb2_compound_op+0x238c/0x3840 [cifs]\n ? kasan_save_track+0x14/0x30\n ? kasan_save_free_info+0x3b/0x70\n ? vfs_symlink+0x1a1/0x2c0\n ? do_symlinkat+0x108/0x1c0\n ? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n ? kmem_cache_free+0x118/0x3e0\n ? cifs_get_writable_path+0xeb/0x1a0 [cifs]\n smb2_get_reparse_inode+0x423/0x540 [cifs]\n ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? __kmalloc_noprof+0x37c/0x480\n ? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\n cifs_symlink+0x24f/0x960 [cifs]\n ? __pfx_make_vfsuid+0x10/0x10\n ? __pfx_cifs_symlink+0x10/0x10 [cifs]\n ? make_vfsgid+0x6b/0xc0\n ? generic_permission+0x96/0x2d0\n vfs_symlink+0x1a1/0x2c0\n do_symlinkat+0x108/0x1c0\n ? __pfx_do_symlinkat+0x10/0x10\n ? strncpy_from_user+0xaa/0x160\n __x64_sys_symlinkat+0xb9/0xf0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f08d75c13bb"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.285", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.229", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.170", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.115", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.59", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11.6", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12", "versionStartIncluding": "5.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:47:21.596Z"}}}, "cveMetadata": {"cveId": "CVE-2024-50151", "state": "PUBLISHED", "dateUpdated": "2025-10-01T20:27:13.291Z", "dateReserved": "2024-10-21T19:36:19.959Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-11-07T09:31:27.672Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "624D9A7E-BE56-498C-AB49-4DF81EB85011", "versionEndExcluding": "5.4.285", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A03CABE-9B43-4E7F-951F-10DEEADAA426", "versionEndExcluding": "5.10.229", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9BA1C73-2D2E-45E3-937B-276A28AEB5FC", "versionEndExcluding": "5.15.170", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE", "versionEndExcluding": "6.1.115", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D15CA59-D15C-4ACD-8B03-A072DEAD2081", "versionEndExcluding": "6.6.59", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4486B12-007B-4794-9857-F07145637AA1", "versionEndExcluding": "6.11.6", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOBs when building SMB2_IOCTL request\n\nWhen using encryption, either enforced by the server or when using\n'seal' mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\n\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst->iov[0].iov_base as shown below:\n\n mount.cifs //srv/share /mnt -o ...,seal\n ln -s $(perl -e \"print('a')for 1..1024\") /mnt/link\n\n BUG: KASAN: slab-out-of-bounds in\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n Write of size 4116 at addr ffff8881148fcab8 by task ln/859\n\n CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n 1.16.3-2.fc40 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n print_report+0x156/0x4d9\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n ? __virt_addr_valid+0x145/0x310\n ? __phys_addr+0x46/0x90\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_report+0xda/0x110\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_check_range+0x10f/0x1f0\n __asan_memcpy+0x3c/0x60\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n smb2_compound_op+0x238c/0x3840 [cifs]\n ? kasan_save_track+0x14/0x30\n ? kasan_save_free_info+0x3b/0x70\n ? vfs_symlink+0x1a1/0x2c0\n ? do_symlinkat+0x108/0x1c0\n ? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n ? kmem_cache_free+0x118/0x3e0\n ? cifs_get_writable_path+0xeb/0x1a0 [cifs]\n smb2_get_reparse_inode+0x423/0x540 [cifs]\n ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? __kmalloc_noprof+0x37c/0x480\n ? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\n cifs_symlink+0x24f/0x960 [cifs]\n ? __pfx_make_vfsuid+0x10/0x10\n ? __pfx_cifs_symlink+0x10/0x10 [cifs]\n ? make_vfsgid+0x6b/0xc0\n ? generic_permission+0x96/0x2d0\n vfs_symlink+0x1a1/0x2c0\n do_symlinkat+0x108/0x1c0\n ? __pfx_do_symlinkat+0x10/0x10\n ? strncpy_from_user+0xaa/0x160\n __x64_sys_symlinkat+0xb9/0xf0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f08d75c13bb"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corregir OOB al crear una solicitud SMB2_IOCTL Al usar cifrado, ya sea aplicado por el servidor o al usar la opci\u00f3n de montaje 'seal', el cliente comprimir\u00e1 todos los buffers de solicitud compuestos para el cifrado en un solo iov en smb2_set_next_command(). SMB2_ioctl_init() asigna un peque\u00f1o b\u00fafer (448 bytes) para contener la solicitud SMB2_IOCTL en el primer iov, y si el usuario pasa un b\u00fafer de entrada que es mayor a 328 bytes, smb2_set_next_command() terminar\u00e1 escribiendo el final de @rqst-&gt;iov[0].iov_base como se muestra a continuaci\u00f3n: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e \"print('a')for 1..1024\") /mnt/link ERROR: KASAN: slab-out-of-bounds en smb2_set_next_command.cold+0x1d6/0x24c [cifs] Escritura de tama\u00f1o 4116 en la direcci\u00f3n ffff8881148fcab8 por tarea ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln No contaminado 6.12.0-rc3 #1 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? vfs_symlink+0x1a1/0x2c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] ? smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? __buscar_bloqueo_mantenido+0x8a/0xa0 ? __hlock_class+0x32/0xb0 ? __ruta_de_compilaci\u00f3n_desde_dentry_prefijo_opcional+0x19d/0x2e0 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? permiso_gen\u00e9rico+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entrada_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb"}], "id": "CVE-2024-50151", "lastModified": "2025-11-03T23:16:55.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-07T10:15:06.780", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:6966", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.12.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:6966", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.12.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "kernel: smb: client: fix OOBs when building SMB2_IOCTL request", "id": "2324324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324324"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix OOBs when building SMB2_IOCTL request\nWhen using encryption, either enforced by the server or when using\n'seal' mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst->iov[0].iov_base as shown below:\nmount.cifs //srv/share /mnt -o ...,seal\nln -s $(perl -e \"print('a')for 1..1024\") /mnt/link\nBUG: KASAN: slab-out-of-bounds in\nsmb2_set_next_command.cold+0x1d6/0x24c [cifs]\nWrite of size 4116 at addr ffff8881148fcab8 by task ln/859\nCPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n1.16.3-2.fc40 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x5d/0x80\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\nprint_report+0x156/0x4d9\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n? __virt_addr_valid+0x145/0x310\n? __phys_addr+0x46/0x90\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\nkasan_report+0xda/0x110\n? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\nkasan_check_range+0x10f/0x1f0\n__asan_memcpy+0x3c/0x60\nsmb2_set_next_command.cold+0x1d6/0x24c [cifs]\nsmb2_compound_op+0x238c/0x3840 [cifs]\n? kasan_save_track+0x14/0x30\n? kasan_save_free_info+0x3b/0x70\n? vfs_symlink+0x1a1/0x2c0\n? do_symlinkat+0x108/0x1c0\n? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n? kmem_cache_free+0x118/0x3e0\n? cifs_get_writable_path+0xeb/0x1a0 [cifs]\nsmb2_get_reparse_inode+0x423/0x540 [cifs]\n? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n? rcu_is_watching+0x20/0x50\n? __kmalloc_noprof+0x37c/0x480\n? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\nsmb2_create_reparse_symlink+0x38f/0x490 [cifs]\n? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n? find_held_lock+0x8a/0xa0\n? hlock_class+0x32/0xb0\n? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\ncifs_symlink+0x24f/0x960 [cifs]\n? __pfx_make_vfsuid+0x10/0x10\n? __pfx_cifs_symlink+0x10/0x10 [cifs]\n? make_vfsgid+0x6b/0xc0\n? generic_permission+0x96/0x2d0\nvfs_symlink+0x1a1/0x2c0\ndo_symlinkat+0x108/0x1c0\n? __pfx_do_symlinkat+0x10/0x10\n? strncpy_from_user+0xaa/0x160\n__x64_sys_symlinkat+0xb9/0xf0\ndo_syscall_64+0xbb/0x1d0\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f08d75c13bb", "A flaw was found in the cifs module in the Linux kernel. When building SMB2_IOCTL requests using encryption, either enforced by the server or using the 'seal' mount option, an out-of-bounds write can be triggered when the user passes an input buffer greater than 328 bytes, resulting in memory corruption and a kernel crash."], "mitigation": {"lang": "en:us", "value": "Consider temporarily disabling SMB encryption and monitor the system for unusual behavior, such as crashes, as it may indicate exploitation attempts."}, "name": "CVE-2024-50151", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-50151\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50151\nhttps://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50151-f52b@gregkh/T"], "statement": "To exploit this flaw, an attacker needs local access to the system and SMB encryption must be enabled, limiting the impact of this issue. For these reasons, this flaw has been rated with a moderate severity.\nThe cifs module in the Linux kernel as shipped in Red Hat Enterprise Linux 8 is not affected by this vulnerability because the vulnerable code was introduced in a newer version of the Linux kernel.", "threat_severity": "Moderate"}

{}