CVE-2024-57900
Vulnerability from cvelistv5
Published
2025-01-15 13:05
Modified
2025-02-13 14:04
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43ecaPatch
Impacted products
Vendor Product Version
Linux Linux Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
Version: 7f00feaf107645d95a6d87e99b4d141ac0a08efd
 Create a notification for this product.
   Linux Linux Version: 4.5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T13:56:44.602768Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:04:27.590Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1638f430f8900f2375f5de45508fbe553997e190",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "d3017895e393536b234cf80a83fc463c08a28137",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "ad0677c37c14fa28913daea92d139644d7acf04e",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "17e8fa894345e8d2c7a7642482267b275c3d4553",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "3d1b63cf468e446b9feaf4e4e73182b9cc82f460",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "260466b576bca0081a7d4acecc8e93687aa22d0e",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.289",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.233",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.176",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.124",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: serialize calls to nf_register_net_hooks()\n\nsyzbot found a race in ila_add_mapping() [1]\n\ncommit 031ae72825ce (\"ila: call nf_unregister_net_hooks() sooner\")\nattempted to fix a similar issue.\n\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\n\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\n\n[1]\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\n\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0xc3/0x620 mm/kasan/report.c:489\n  kasan_report+0xd9/0x110 mm/kasan/report.c:602\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\n  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\n  NF_HOOK include/linux/netfilter.h:312 [inline]\n  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\n  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\n  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\n  process_backlog+0x443/0x15f0 net/core/dev.c:6117\n  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\n  napi_poll net/core/dev.c:6952 [inline]\n  net_rx_action+0xa94/0x1010 net/core/dev.c:7074\n  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\n  __do_softirq kernel/softirq.c:595 [inline]\n  invoke_softirq kernel/softirq.c:435 [inline]\n  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-20T06:29:11.186Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca"
        },
        {
          "url": "https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460"
        },
        {
          "url": "https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e"
        }
      ],
      "title": "ila: serialize calls to nf_register_net_hooks()",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57900",
    "datePublished": "2025-01-15T13:05:51.798Z",
    "dateReserved": "2025-01-11T14:45:42.030Z",
    "dateUpdated": "2025-02-13T14:04:27.590Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57900\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-15T13:15:14.633\",\"lastModified\":\"2025-02-13T14:16:18.027\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nila: serialize calls to nf_register_net_hooks()\\n\\nsyzbot found a race in ila_add_mapping() [1]\\n\\ncommit 031ae72825ce (\\\"ila: call nf_unregister_net_hooks() sooner\\\")\\nattempted to fix a similar issue.\\n\\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\\n\\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\\n\\n[1]\\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\\n\\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\\nCall Trace:\\n \u003cIRQ\u003e\\n  __dump_stack lib/dump_stack.c:94 [inline]\\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\\n  print_address_description mm/kasan/report.c:378 [inline]\\n  print_report+0xc3/0x620 mm/kasan/report.c:489\\n  kasan_report+0xd9/0x110 mm/kasan/report.c:602\\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\\n  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\\n  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\\n  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\\n  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\\n  NF_HOOK include/linux/netfilter.h:312 [inline]\\n  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\\n  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\\n  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\\n  process_backlog+0x443/0x15f0 net/core/dev.c:6117\\n  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\\n  napi_poll net/core/dev.c:6952 [inline]\\n  net_rx_action+0xa94/0x1010 net/core/dev.c:7074\\n  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\\n  __do_softirq kernel/softirq.c:595 [inline]\\n  invoke_softirq kernel/softirq.c:435 [inline]\\n  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\\n  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ila: serializar llamadas a nf_register_net_hooks() syzbot encontr\u00f3 una carrera en ila_add_mapping() [1] la confirmaci\u00f3n 031ae72825ce (\\\"ila: llamar a nf_unregister_net_hooks() antes\\\") intent\u00f3 solucionar un problema similar. Al observar la reproducci\u00f3n de syzbot, tenemos comandos ILA_CMD_ADD simult\u00e1neos. Agregue un mutex para asegurarse de que, como m\u00e1ximo, un hilo est\u00e9 llamando a nf_register_net_hooks(). [1] ERROR: KASAN: slab-use-after-free en rht_key_hashfn include/linux/rhashtable.h:159 [en l\u00ednea] ERROR: KASAN: slab-use-after-free en __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff888028f40008 por la tarea dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd No contaminado 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:94 [en l\u00ednea] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [en l\u00ednea] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [en l\u00ednea] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [en l\u00ednea] rhashtable_lookup_fast include/linux/rhashtable.h:672 [en l\u00ednea] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [en l\u00ednea] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [en l\u00ednea] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [en l\u00ednea] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [en l\u00ednea] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [en l\u00ednea] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [en l\u00ednea] invoke_softirq kernel/softirq.c:435 [en l\u00ednea] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [en l\u00ednea] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.5\",\"versionEndExcluding\":\"5.4.289\",\"matchCriteriaId\":\"2704A089-B6A5-4F12-9387-0878A5A9C054\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.233\",\"matchCriteriaId\":\"44569A17-FE4C-4BE3-9C0C-74AC54C7B51B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.176\",\"matchCriteriaId\":\"DDBD8FC6-2357-4347-BFA1-B4A4A3039F35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.124\",\"matchCriteriaId\":\"1B69CE1B-5219-42EB-B7DD-7E7D7F1DB032\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.70\",\"matchCriteriaId\":\"51E6CFF2-92AA-4936-95AB-2D068168A696\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.9\",\"matchCriteriaId\":\"1D13AF97-FFED-4B68-906D-CFE38D0B88DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A073481-106D-4B15-B4C7-FB0213B8E1D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE491969-75AE-4A6B-9A58-8FC5AF98798F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"93C0660D-7FB8-4FBA-892A-B064BA71E49E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"034C36A6-C481-41F3-AE9A-D116E5BE6895\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-57900\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-13T13:56:44.602768Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-13T13:56:45.900Z\"}}], \"cna\": {\"title\": \"ila: serialize calls to nf_register_net_hooks()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"1638f430f8900f2375f5de45508fbe553997e190\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"d3017895e393536b234cf80a83fc463c08a28137\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"ad0677c37c14fa28913daea92d139644d7acf04e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"17e8fa894345e8d2c7a7642482267b275c3d4553\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"3d1b63cf468e446b9feaf4e4e73182b9cc82f460\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7f00feaf107645d95a6d87e99b4d141ac0a08efd\", \"lessThan\": \"260466b576bca0081a7d4acecc8e93687aa22d0e\", \"versionType\": \"git\"}], \"programFiles\": [\"net/ipv6/ila/ila_xlat.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.5\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.289\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.233\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.176\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.124\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.70\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.9\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/ipv6/ila/ila_xlat.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190\"}, {\"url\": \"https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137\"}, {\"url\": \"https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e\"}, {\"url\": \"https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca\"}, {\"url\": \"https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553\"}, {\"url\": \"https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460\"}, {\"url\": \"https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nila: serialize calls to nf_register_net_hooks()\\n\\nsyzbot found a race in ila_add_mapping() [1]\\n\\ncommit 031ae72825ce (\\\"ila: call nf_unregister_net_hooks() sooner\\\")\\nattempted to fix a similar issue.\\n\\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\\n\\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\\n\\n[1]\\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\\n\\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\\nCall Trace:\\n \u003cIRQ\u003e\\n  __dump_stack lib/dump_stack.c:94 [inline]\\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\\n  print_address_description mm/kasan/report.c:378 [inline]\\n  print_report+0xc3/0x620 mm/kasan/report.c:489\\n  kasan_report+0xd9/0x110 mm/kasan/report.c:602\\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\\n  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\\n  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\\n  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\\n  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\\n  NF_HOOK include/linux/netfilter.h:312 [inline]\\n  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\\n  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\\n  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\\n  process_backlog+0x443/0x15f0 net/core/dev.c:6117\\n  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\\n  napi_poll net/core/dev.c:6952 [inline]\\n  net_rx_action+0xa94/0x1010 net/core/dev.c:7074\\n  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\\n  __do_softirq kernel/softirq.c:595 [inline]\\n  invoke_softirq kernel/softirq.c:435 [inline]\\n  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\\n  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-01-20T06:29:11.186Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-57900\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T14:04:27.590Z\", \"dateReserved\": \"2025-01-11T14:45:42.030Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-01-15T13:05:51.798Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.