{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T08:08:44.120","vulnerabilities":[{"cve":{"id":"CVE-2024-26859","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-04-17T11:15:08.893","lastModified":"2025-03-04T15:44:46.923","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/bnx2x: impide el acceso a una página liberada en page_pool. Repara la condición de carrera que provoca un bloqueo del sistema durante el manejo de errores EEH. Durante la recuperación de errores EEH, la lógica de tiempo de espera de transmisión del controlador bnx2x podría provocar una carrera. condición al manejar tareas de reinicio. El bnx2x_tx_timeout() programa tareas de reinicio a través de bnx2x_sp_rtnl_task(), lo que finalmente conduce a bnx2x_nic_unload(). En bnx2x_nic_unload(), los SGE se liberan utilizando bnx2x_free_rx_sge_range(). Sin embargo, esto podría superponerse con el intento del controlador EEH de restablecer el dispositivo usando bnx2x_io_slot_reset(), que también intenta liberar los SGE. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring [índice]; 803 página de estructura *página = sw_buf->página; .... donde sw_buf se configuró en NULL después de la llamada a dma_unmap_page() por el hilo anterior. EEH: Comienzo: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invocando bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]Reinicio de ranura IO inicializando... bnx2x 0011:01:00.0: habilitando dispositivo (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]Restablecimiento de ranura IO --> descarga del controlador El kernel intentó leer la página del usuario (0): ¿intento de explotación? (uid: 0) ERROR: Desreferencia del puntero NULL del kernel al leer en 0x00000000 Dirección de instrucción errónea: 0xc0080000025065fc Ups: Acceso al kernel del área defectuosa, firma: 11 [#1] ..... Seguimiento de llamadas: [c000000003c67a20] [c00800000250658c] 2x_io_slot_reset +0x204/0x610 [bnx2x] (no confiable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] 180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler +0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Para resolver este problema, necesitamos verifique las asignaciones del grupo de páginas antes de liberarlas."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.19.311","matchCriteriaId":"AD980215-9885-4AEF-8844-E63A850472EB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.273","matchCriteriaId":"620FD8B7-BF03-43E0-951A-0A58461D4C55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.214","matchCriteriaId":"65987874-467B-4D3B-91D6-68A129B34FB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.153","matchCriteriaId":"ACB69438-845D-4E3C-B114-3140611F9C0B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.83","matchCriteriaId":"121A07F6-F505-4C47-86BF-9BB6CC7B6C19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.23","matchCriteriaId":"E00814DC-0BA7-431A-9926-80FEB4A96C68"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.11","matchCriteriaId":"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.2","matchCriteriaId":"543A75FF-25B8-4046-A514-1EA8EDD87AB1"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}