{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-30T23:14:55.205","vulnerabilities":[{"cve":{"id":"CVE-2024-26961","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-01T06:15:12.437","lastModified":"2024-12-23T13:37:44.197","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n <TASK>\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org)."},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mac802154: corrige la liberación de recursos de clave llsec en mac802154_llsec_key_del mac802154_llsec_key_del() puede liberar recursos de una clave directamente sin seguir las reglas de RCU para esperar antes del final de un período de gracia. Esto puede llevar a un use-after-free en caso de que llsec_lookup_key() esté recorriendo la lista de claves en paralelo con una eliminación de clave: refcount_t: suma en 0; use-after-free. ADVERTENCIA: CPU: 4 PID: 16000 en lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0 Módulos vinculados en: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Nombre de hardware: PC estándar QEMU ( i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 01/04/2014 RIP: 0010:refcount_warn_saturate+0x162/0x2a0 Seguimiento de llamadas:  llsec_lookup_key.isra.0+0x890/0x9e0 mac802154_llsec_ cifrar+ 0x30c/0x9c0 ieee802154_subif_start_xmit+0x24/0x1e0 dev_hard_start_xmit+0x13e/0x690 sch_direct_xmit+0x2ae/0xbc0 __dev_queue_xmit+0x11dd/0x3c20 dgram_sendmsg+0x90b/0xd60 __ sys_sendto+0x466/0x4c0 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x45/0xf0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 Además, Las estructuras ieee802154_llsec_key_entry no son liberadas por mac802154_llsec_key_del(): objeto sin referencia 0xffff8880613b6980 (tamaño 64): comm \"iwpan\", pid 2176, jiffies 4294761134 (edad 60,475 s) volcado hexadecimal (primeros 32 bytes): 8 0d 8f 18 80 88 y siguientes y siguientes 22 01 00 00 00 00 ad de x.......\"....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ........... ..... retroceso: [] __kmem_cache_alloc_node+0x1e2/0x2d0 [] kmalloc_trace+0x25/0xc0 [] mac802154_llsec_key_add+0xac9/0xcf0 ffffffff8896e41a&gt;] ieee802154_add_llsec_key+0x5a/0x80 [] nl802154_add_llsec_key+0x426/0x5b0 [] genl_family_rcv_msg_doit+0x1fe/0x2f0 [] genl_rcv_msg+0x531/0x7d0 [] netlink_rcv_skb+0x169/0x440 [] genl_rcv+0x28/0x40 [] netlink_unicast+0x53c/0x820 [] netlink_sendmsg+0x93b/0xe60 [] ____sys_sendmsg+0xac5/0xca0 [] ___sys_sendmsg+0x11d/0 x1c0 [] __sys_sendmsg+0xfa/0x1d0 [] do_syscall_64+0x45/0xf0 [] Entry_SYSCALL_64_after_hwframe+0x6e/0x76 Maneja la liberación adecuada de recursos en la función de devolución de llamada de RCU mac802154_llsec_key_del_rcu(). Tenga en cuenta que si llsec_lookup_key() encuentra una clave, obtiene un recuento a través de llsec_key_get() y copia localmente la identificación de la clave de key_entry (que es un elemento de la lista). Por lo tanto, es seguro llamar a llsec_key_put() y liberar la entrada de la lista después de que transcurra el período de gracia de RCU. Encontrado por el Centro de verificación de Linux (linuxtesting.org)."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"5.10.215","matchCriteriaId":"46A56CAB-271E-4C61-8E54-08CC18E95897"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.154","matchCriteriaId":"577E212E-7E95-4A71-9B5C-F1D1A3AFFF46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.84","matchCriteriaId":"834D9BD5-42A6-4D74-979E-4D6D93F630FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.24","matchCriteriaId":"8018C1D0-0A5F-48D0-BC72-A2B33FDDA693"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.12","matchCriteriaId":"6BE9771A-BAFD-4624-95F9-58D536540C53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.3","matchCriteriaId":"4C59BBC3-6495-4A77-9C82-55EC7CDF5E02"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}