Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveLinuxCVE-2024-40958
HistoryJul 12, 2024 - 1:15 p.m.

CVE-2024-40958

2024-07-1213:15:17
CWE-416
Linux
web.nvd.nist.gov
31
linux kernel
cve-2024-40958
vulnerability
netns
refcount_t
use-after-free
warning
fix
net
zero refcount
get_net_ns
syzkaller
panic_on_warn

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.3

Confidence

Low

EPSS

0

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

netns: Make get_net_ns() handle zero refcount net

Syzkaller hit a warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
Modules linked in:
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0xa3/0xc0
? __warn+0xa5/0x1c0
? refcount_warn_saturate+0xdf/0x1d0
? report_bug+0x1fc/0x2d0
? refcount_warn_saturate+0xdf/0x1d0
? handle_bug+0xa1/0x110
? exc_invalid_op+0x3c/0xb0
? asm_exc_invalid_op+0x1f/0x30
? __warn_printk+0xcc/0x140
? __warn_printk+0xd5/0x140
? refcount_warn_saturate+0xdf/0x1d0
get_net_ns+0xa4/0xc0
? __pfx_get_net_ns+0x10/0x10
open_related_ns+0x5a/0x130
__tun_chr_ioctl+0x1616/0x2370
? __sanitizer_cov_trace_switch+0x58/0xa0
? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
? __pfx_tun_chr_ioctl+0x10/0x10
tun_chr_ioctl+0x2f/0x40
__x64_sys_ioctl+0x11b/0x160
x64_sys_call+0x1211/0x20d0
do_syscall_64+0x9e/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b28f165d7
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set …

This is trigger as below:
ns0 ns1
tun_set_iff() //dev is tun0
tun->dev = dev
//ip link set tun0 netns ns1
put_net() //ref is 0
__tun_chr_ioctl() //TUNGETDEVNETNS
net = dev_net(tun->dev);
open_related_ns(&net->ns, get_net_ns); //ns1
get_net_ns()
get_net() //addition on 0

Use maybe_get_net() in get_net_ns in case net’s ref is zero to fix this

Affected configurations

Nvd
Vulners
Node
linuxlinux_kernelRange5.25.4.279
OR
linuxlinux_kernelRange5.55.10.221
OR
linuxlinux_kernelRange5.115.15.162
OR
linuxlinux_kernelRange5.166.1.96
OR
linuxlinux_kernelRange6.26.6.36
OR
linuxlinux_kernelRange6.76.9.7
OR
linuxlinux_kernelMatch6.10rc1
OR
linuxlinux_kernelMatch6.10rc2
OR
linuxlinux_kernelMatch6.10rc3
OR
linuxlinux_kernelMatch6.10rc4
VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*
linuxlinux_kernel6.10cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/core/net_namespace.c"
    ],
    "versions": [
      {
        "version": "0c3e0e3bb623",
        "lessThan": "3a6cd326ead7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3e0e3bb623",
        "lessThan": "2b82028a1f5e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3e0e3bb623",
        "lessThan": "cb7f811f638a",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3e0e3bb623",
        "lessThan": "1b631bffcb2c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3e0e3bb623",
        "lessThan": "ef0394ca2595",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3e0e3bb623",
        "lessThan": "3af28df0d883",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3e0e3bb623",
        "lessThan": "ff960f9d3edb",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/core/net_namespace.c"
    ],
    "versions": [
      {
        "version": "5.2",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.2",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.279",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.221",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.162",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.96",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.36",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.7",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

vulnrichment 1
redhatcve 1
debiancve 1
ubuntucve 1
cvelist 1
osv 15
nvd 1
redhat 2
rocky 1
nessus 24
oraclelinux 4
openvas 14
vulnrichment
vulnrichment
CVE-2024-40958 netns: Make get_net_ns() handle zero refcount net
2024-07-12 12:32:00
redhatcve
redhatcve
CVE-2024-40958
2024-07-16 16:56:57
debiancve
debiancve
CVE-2024-40958
2024-07-12 13:15:17
ubuntucve
ubuntucve
CVE-2024-40958
2024-07-12 00:00:00
cvelist
cvelist
CVE-2024-40958 netns: Make get_net_ns() handle zero refcount net
2024-07-12 12:32:00
osv
osv
CVE-2024-40958
2024-07-12 13:15:00
Important: kernel security update
2024-08-21 14:53:21
linux, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gkeop, linux-ibm, linux-kvm, linux-oracle vulnerabilities
2024-09-12 09:40:42
nvd
nvd
CVE-2024-40958
2024-07-12 13:15:17
redhat
redhat
(RHSA-2024:5363) Important: kernel security update
2024-08-14 00:03:33
(RHSA-2024:5422) Important: OpenShift Container Platform 4.16.8 bug fix and security update
2024-08-20 15:08:36
rocky
rocky
kernel security update
2024-08-21 14:53:21
nessus
nessus
Rocky Linux 9 : kernel (RLSA-2024:5363)
2024-08-21 00:00:00
RHEL 9 : kernel (RHSA-2024:5363)
2024-08-15 00:00:00
Oracle Linux 9 : kernel (ELSA-2024-5363)
2024-08-15 00:00:00
oraclelinux
oraclelinux
kernel security update
2024-08-14 00:00:00
Unbreakable Enterprise kernel security update
2024-09-10 00:00:00
Unbreakable Enterprise kernel-container security update
2024-09-11 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-7003-1)
2024-09-12 00:00:00
Ubuntu: Security Advisory (USN-7003-3)
2024-09-16 00:00:00
Ubuntu: Security Advisory (USN-7003-2)
2024-09-12 00:00:00

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.3

Confidence

Low

EPSS

0

Percentile

5.1%

JSON
Related for CVE-2024-40958
vulnrichment1redhatcve1debiancve1ubuntucve1cvelist1osv15nvd1redhat2rocky1nessus24oraclelinux4openvas14