{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mac802154: fix llsec key resources release in mac802154_llsec_key_del",
    "id" : "2278176",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2278176"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-459",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n<TASK>\nllsec_lookup_key.isra.0+0x890/0x9e0\nmac802154_llsec_encrypt+0x30c/0x9c0\nieee802154_subif_start_xmit+0x24/0x1e0\ndev_hard_start_xmit+0x13e/0x690\nsch_direct_xmit+0x2ae/0xbc0\n__dev_queue_xmit+0x11dd/0x3c20\ndgram_sendmsg+0x90b/0xd60\n__sys_sendto+0x466/0x4c0\n__x64_sys_sendto+0xe0/0x1c0\ndo_syscall_64+0x45/0xf0\nentry_SYSCALL_64_after_hwframe+0x6e/0x76\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\nunreferenced object 0xffff8880613b6980 (size 64):\ncomm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\nhex dump (first 32 bytes):\n78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\nbacktrace:\n[<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0\n[<ffffffff81c43865>] kmalloc_trace+0x25/0xc0\n[<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0\n[<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80\n[<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0\n[<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0\n[<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0\n[<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440\n[<ffffffff86ff1d88>] genl_rcv+0x28/0x40\n[<ffffffff86fec15c>] netlink_unicast+0x53c/0x820\n[<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60\n[<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0\n[<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0\n[<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0\n[<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0\n[<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\nFound by Linux Verification Center (linuxtesting.org).", "A flaw was found in the Linux Kernel where resources are improperly managed in IEEE 802.15.4 networking, leading to a potential use-after-free issue, resulting in a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5102",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5101",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.16.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5065",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.115.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5065",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.115.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5065",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.115.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-11-26T00:00:00Z",
    "advisory" : "RHSA-2024:10262",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.81.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-30T00:00:00Z",
    "advisory" : "RHSA-2024:8617",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.42.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-30T00:00:00Z",
    "advisory" : "RHSA-2024:8617",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.42.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-10-30T00:00:00Z",
    "advisory" : "RHSA-2024:8613",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.90.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-10-30T00:00:00Z",
    "advisory" : "RHSA-2024:8614",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.90.1.rt14.375.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26961\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26961\nhttps://lore.kernel.org/linux-cve-announce/2024050129-CVE-2024-26961-408d@gregkh/T" ],
  "name" : "CVE-2024-26961",
  "csaw" : false
}