{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T02:13:03.412","vulnerabilities":[{"cve":{"id":"CVE-2024-42152","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-07-30T08:15:06.763","lastModified":"2025-11-03T22:17:43.050","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl->sqs and sq->ctrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq->ctrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq->ctrl after all inflight request has\ncompleted, where for sure sq->ctrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvmet: corrige una posible fuga al destruir un ctrl durante el establecimiento de qp En nvmet_sq_destroy capturamos sq->ctrl temprano y si no es NULL sabemos que se asignó un ctrl (en el controlador de solicitudes de conexión de administrador) y necesitamos liberar los AER pendientes, borrar ctrl->sqs y sq->ctrl (principalmente para nvme-loop) y eliminar la referencia final en ctrl. Sin embargo, es posible una pequeña ventana donde se inicia nvmet_sq_destroy (como resultado de que el cliente se rinde y se desconecta) al mismo tiempo que el cmd de conexión del administrador de nvme (que puede estar en una etapa inicial). Pero *antes* de kill_and_confirm de sq->ref (es decir, la conexión del administrador logró obtener una referencia en vivo de sq). En este caso, se asignó sq->ctrl sin embargo después de ser capturado en una variable local en nvmet_sq_destroy. Esto evitó la caída de la referencia final en Ctrl. Resuelva esto volviendo a capturar sq->ctrl después de que se hayan completado todas las solicitudes en curso, donde con seguridad la referencia sq->ctrl es definitiva, y avance en función de eso. Este problema se observó en un entorno con muchos hosts que conectaban múltiples controles simultáneamente, lo que creaba un retraso en la asignación de un control que conducía a esta ventana de ejecución."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.10.222","matchCriteriaId":"6A024C9F-1F70-4EB4-B7D0-432011590CAB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.163","matchCriteriaId":"A97DEB09-4927-40F8-B5C6-F5BD5EAE0CFD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.98","matchCriteriaId":"E09E92A5-27EF-40E4-926A-B1CDC8270551"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.39","matchCriteriaId":"29E894E4-668F-4DB0-81F7-4FB5F698E970"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.9.9","matchCriteriaId":"ADCC1407-0CB3-4C8F-B4C5-07F682CD7085"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*","matchCriteriaId":"2EBB4392-5FA6-4DA9-9772-8F9C750109FA"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}