CVE-2024-26640 — MEDIUM (5.5)

Q: How severe is CVE-2024-26640?

CVE-2024-26640 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-26640?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux.

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic reported by ZhangPeng. syzbot was able to loopback packets built with sendfile(), mapping pages owned by an ext4 file to TCP rx zerocopy. r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8) sendfile(r4, r5, 0x0, 0x8ba0) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0)

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	>= 4.18, < 5.10.210
Debian	Debian Linux	10.0

References

https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60Mailing ListPatch
https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894Mailing ListPatch
https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541eMailing ListPatch
https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5eMailing ListPatch
https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760Mailing ListPatch
https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6fMailing ListPatch
https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60Mailing ListPatch
https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894Mailing ListPatch
https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541eMailing ListPatch
https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5eMailing ListPatch
https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760Mailing ListPatch
https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6fMailing ListPatch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.htmlMailing List

FAQ

What is CVE-2024-26640?

CVE-2024-26640 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned...

How severe is CVE-2024-26640?

CVE-2024-26640 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-26640?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux.