CVE-2024-26849

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26849
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26849.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26849
Downstream
Related
Published
2024-04-17T10:14:20Z
Modified
2025-10-15T09:06:13.046928Z
Summary
netlink: add nla be16/32 types to minlen array
Details

In the Linux kernel, the following vulnerability has been resolved:

netlink: add nla be16/32 types to minlen array

BUG: KMSAN: uninit-value in nlavalidaterangeunsigned lib/nlattr.c:222 [inline] BUG: KMSAN: uninit-value in nlavalidateintrange lib/nlattr.c:336 [inline] BUG: KMSAN: uninit-value in validatenla lib/nlattr.c:575 [inline] BUG: KMSAN: uninit-value in _nlavalidateparse+0x2e20/0x45c0 lib/nlattr.c:631 nlavalidaterangeunsigned lib/nlattr.c:222 [inline] nlavalidateintrange lib/nlattr.c:336 [inline] validate_nla lib/nlattr.c:575 [inline] ...

The message in question matches this policy:

[NFTATARGETREV] = NLAPOLICYMAX(NLA_BE32, 255),

but because NLA_BE32 size in minlen array is 0, the validation code will read past the malformed (too small) attribute.

Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing: those likely should be added too.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f
Fixed
0ac219c4c3ab253f3981f346903458d20bacab32
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f
Fixed
a2ab028151841cd833cb53eb99427e0cc990112d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f
Fixed
7a9d14c63b35f89563c5ecbadf918ad64979712d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f
Fixed
9a0d18853c280f6a0ee99f91619f2442a17a323a

Affected versions

v6.*

v6.1
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "lib/nlattr.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "331058746734565459999244690531796992902",
                    "318285714919242653374287663304496445382",
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "209904188489997493294132440546746591736",
                    "80160407879171712255671105031312110991"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26849-4bde13d1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7a9d14c63b35f89563c5ecbadf918ad64979712d"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "lib/nlattr.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "331058746734565459999244690531796992902",
                    "318285714919242653374287663304496445382",
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "209904188489997493294132440546746591736",
                    "80160407879171712255671105031312110991"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26849-512b2469",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ac219c4c3ab253f3981f346903458d20bacab32"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "lib/nlattr.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "331058746734565459999244690531796992902",
                    "318285714919242653374287663304496445382",
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "209904188489997493294132440546746591736",
                    "80160407879171712255671105031312110991"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26849-6527aa65",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a0d18853c280f6a0ee99f91619f2442a17a323a"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "lib/nlattr.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "331058746734565459999244690531796992902",
                    "318285714919242653374287663304496445382",
                    "217693345133600860102915590671504469573",
                    "271352317972224571277163553055990540065",
                    "209904188489997493294132440546746591736",
                    "80160407879171712255671105031312110991"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26849-7ffb6742",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2ab028151841cd833cb53eb99427e0cc990112d"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.81
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.21
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.9