🛡️ UBUNTU-CVE-2024-26608
⚪ Unknown ✅ No Known Exploit OSV
N/A
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds another global out-of-bounds read for policy ksmbd_nl_policy. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810 CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 __nlmsg_parse include/net/netlink.h:748 [inline] genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565 genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdd66a8f359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000 The buggy address belongs to the variable: ksmbd_nl_policy+0x100/0xa80 The buggy address belongs to the physical page: page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9 ^ ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05 ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9 ================================================================== To fix it, add a placeholder named __KSMBD_EVENT_MAX and let KSMBD_EVENT_MAX to be its original value - 1 according to what other netlink families do. Also change two sites that refer the KSMBD_EVENT_MAX to correct value.

Details

Severity Unknown
CVSS Score N/A
CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE N/A
Public Exploit ✅ No
Source OSV
Published 2024-03-11
Updated 2026-06-15
Modified 2026-06-04
Fix URL N/A

Affected Packages

Software From version Fixed in
linux 5.15.0-106.116
linux-allwinner-5.19
linux-aws 5.15.0-1061.67
linux-aws-5.0
linux-aws-5.11
linux-aws-5.13
linux-aws-5.15 5.15.0-1061.67~20.04.1
linux-aws-5.19
linux-aws-5.3
linux-aws-5.8
linux-aws-6.2
linux-aws-6.5
linux-aws-fips 5.15.0-1061.67+fips1
linux-azure 5.15.0-1063.72
linux-azure-5.11
linux-azure-5.13
linux-azure-5.15 5.15.0-1063.72~20.04.1
linux-azure-5.19
linux-azure-5.3
linux-azure-5.8
linux-azure-6.2
linux-azure-6.5 6.5.0-1022.23~22.04.1
linux-azure-edge
linux-azure-fde
linux-azure-fde-5.19
linux-azure-fde-6.2
linux-azure-fde-6.8
linux-azure-fips 5.15.0-1063.72+fips1
linux-bluefield
linux-fips 5.15.0-106.116+fips1
linux-gcp 5.15.0-1059.67
linux-gcp-5.11
linux-gcp-5.13
linux-gcp-5.15 5.15.0-1059.67~20.04.1
linux-gcp-5.19
linux-gcp-5.3
linux-gcp-5.8
linux-gcp-6.2
linux-gcp-6.5 6.5.0-1022.24~22.04.1
linux-gcp-fips 5.15.0-1059.67+fips1
linux-gke 5.15.0-1058.63
linux-gke-4.15
linux-gke-5.15
linux-gke-5.4
linux-gkeop 5.15.0-1044.51
linux-gkeop-5.15 5.15.0-1044.51~20.04.1
linux-gkeop-5.4
linux-hwe
linux-hwe-5.11
linux-hwe-5.13
linux-hwe-5.15 5.15.0-106.116~20.04.1
linux-hwe-5.19
linux-hwe-5.8
linux-hwe-6.2
linux-hwe-6.5 6.5.0-41.41~22.04.2
linux-hwe-edge
linux-ibm 5.15.0-1054.57
linux-ibm-5.15 5.15.0-1054.57~20.04.1
linux-intel-5.13
linux-intel-iot-realtime 5.15.0-1054.56
linux-intel-iotg 5.15.0-1057.63
linux-intel-iotg-5.15 5.15.0-1058.64~20.04.1
linux-kvm 5.15.0-1058.63
linux-lowlatency 5.15.0-106.116
linux-lowlatency-hwe-5.15 5.15.0-106.116~20.04.1
linux-lowlatency-hwe-5.19
linux-lowlatency-hwe-6.2
linux-lowlatency-hwe-6.5 6.5.0-41.41.1~22.04.1
linux-nvidia 5.15.0-1054.55
linux-nvidia-6.2
linux-nvidia-6.5 6.5.0-1021.22
linux-nvidia-tegra 5.15.0-1026.26
linux-nvidia-tegra-5.15 5.15.0-1027.27~20.04.1
linux-nvidia-tegra-igx 5.15.0-1015.15
linux-oem
linux-oem-5.10
linux-oem-5.13
linux-oem-5.14
linux-oem-5.17
linux-oem-5.6
linux-oem-6.0
linux-oem-6.1
linux-oem-6.5 6.5.0-1024.25
linux-oracle 5.15.0-1059.65
linux-oracle-5.0
linux-oracle-5.11
linux-oracle-5.13
linux-oracle-5.15 5.15.0-1059.65~20.04.1
linux-oracle-5.3
linux-oracle-5.8
linux-oracle-6.5 6.5.0-1024.24~22.04.1
linux-raspi 5.15.0-1054.57
linux-raspi-realtime 6.8.0-2001.1
linux-raspi2
linux-realtime 5.15.0-1062.70
linux-riscv
linux-riscv-5.11
linux-riscv-5.15 5.15.0-1057.61~20.04.1
linux-riscv-5.19
linux-riscv-5.8
linux-riscv-6.5 6.5.0-40.40.1~22.04.1
linux-starfive-5.19
linux-starfive-6.2
linux-starfive-6.5 6.5.0-1015.16~22.04.1
linux-xilinx-zynqmp 5.15.0-1030.34

References

Similar Threats

Patch Gap Protection

Running software with known vulnerabilities?

BotEraser can help reduce exposure by blocking IPs associated with exploit activity — even before a patch is available.

Start Free →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.