Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() Syzkaller reported [1] hitting a warning after failing to allocate resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will not help much in this case, it might be prudent to switch to netdev_warn_once(). At the very least it will suppress syzkaller reports such as [1]. Just in case, use netdev_warn_once() in send_prp_supervision_frame() for similar reasons. [1] HSR: Could not send supervision frame WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294 RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294 ... Call Trace: <IRQ> hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382 call_timer_fn+0x193/0x590 kernel/time/timer.c:1700 expire_timers kernel/time/timer.c:1751 [inline] __run_timers+0x764/0xb20 kernel/time/timer.c:2022 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035 __do_softirq+0x21a/0x8de kernel/softirq.c:553 invoke_softirq kernel/softirq.c:427 [inline] __irq_exit_rcu kernel/softirq.c:632 [inline] irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649 ... This issue is also found in older kernels (at least up to 5.10).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 5.9, < 5.10.210 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfbPatch
- https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06ePatch
- https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51Patch
- https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023aPatch
- https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8Patch
- https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0Patch
- https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfbPatch
- https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06ePatch
- https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51Patch
- https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023aPatch
- https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8Patch
- https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0Patch
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.htmlMailing List
FAQ
What is CVE-2024-26707?
CVE-2024-26707 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() Syzkaller reported [1] hitting a warning after failing to allocate re...
How severe is CVE-2024-26707?
CVE-2024-26707 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-26707?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux.