CVE-2024-26622

tomoyo: fix UAF write bug in tomoyo_write_control()

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write()
of long lines is requested, we need to fetch head->write_buf after
head->io_sem is held. Otherwise, concurrent write() requests can
cause use-after-free-write and double-free problems.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tomoyo: corrige el error de escritura UAF en tomoyo_write_control() Dado que tomoyo_write_control() actualiza head->write_buf cuando se solicita write() de líneas largas, necesitamos recuperar head->write_buf después head->io_sem se mantiene. De lo contrario, las solicitudes de escritura () simultáneas pueden causar problemas de use-after-free-write y de doble liberación.

In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.

This update for the Linux Kernel 5.14.21-150500_55_49 fixes several issues. The following security issues were fixed. Fixed potential UAF in cifs_signal_cifsd_for_reconnect. Gpiolib: cdev: Fix use after free in lineinfo_changed_notify. Net: do not leave a dangling sk pointer, when socket creation fails hfsplus: fix uninit-value in copy_name. Fs/9p: only translate RWX permissions for plain 9P2000. Hsr: Prevent use after free in prp_create_tagged_frame. Fixed a general protection fault in i915_perf_open_ioctl. Set gtt bound flag in amdgpu_ttm_gart_bind. Fixed use-after-free bugs caused by sco_sock_timeout. Drm/client: Fully protect modes with dev->mode_config.mutex. Fixed false-positive lockdep splat for spin_lock in __unix_gc. Fixed double free of the ha->vp_map pointer. Fixed underflow in parse_server_interfaces. Fixed Integer Overflow or Wraparound vulnerability in x86 and ARM md, raid, raid5 modules. Fixed use-after-free in ip6_route_mpath_notify. Fixed memory corruption in wifi/iwlwifi. Fixed an out-of-bound bug in ipvlan caused by unset skb->mac_header. Fixed SDMA off-by-one error in _pad_sdma_tx_descs. Fixed a race condition in nfc_llcp_sock_get and nfc_llcp_sock_get_sn. Fixed race between tx work scheduling and socket close. Fixed a race condition in the GSM 0710 tty multiplexor via the GSMIOC_SETCONF ioctl that could lead to local privilege escalation. Fixed UAF write bug in tomoyo_write_control. Fixed a denial of service related to ICMPv6 'Packet Too Big' packets.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-03-04 CVE Published
2025-05-04 CVE Updated
2025-06-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/bd03a3e4c9a9df0c6b007045fa7fc8889111a478	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/a23ac1788e2c828c097119e9a3178f0b7e503fee	2024-03-06
https://git.kernel.org/stable/c/7d930a4da17958f869ef679ee0e4a8729337affc	2024-03-06
https://git.kernel.org/stable/c/3bfe04c1273d30b866f4c7c238331ed3b08e5824	2024-03-06
https://git.kernel.org/stable/c/2caa605079488da9601099fbda460cfc1702839f	2024-03-06
https://git.kernel.org/stable/c/6edefe1b6c29a9932f558a898968a9fcbeec5711	2024-03-06
https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815	2024-03-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.1 < 5.10.212 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 5.10.212"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.1 < 5.15.151 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 5.15.151"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.1 < 6.1.81 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 6.1.81"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.1 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.1 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.1 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.1 < 6.8"		en		Affected