CVE-2024-26849

netlink: add nla be16/32 types to minlen array

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 nla_validate_range_unsigned lib/nlattr.c:222 [inline] nla_validate_int_range lib/nlattr.c:336 [inline] validate_nla lib/nlattr.c:575 [inline]
... The message in question matches this policy: [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255), but because NLA_BE32 size in minlen array is 0, the validation
code will read past the malformed (too small) attribute. Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:
those likely should be added too.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netlink: agregue tipos nla be16/32 a la matriz minlen ERROR: KMSAN: valor uninit en nla_validate_range_unsigned lib/nlattr.c:222 [en línea] ERROR: KMSAN: valor uninit en nla_validate_int_range lib/nlattr.c:336 [en línea] ERROR: KMSAN: valor uninit en validar_nla lib/nlattr.c:575 [en línea] ERROR: KMSAN: valor uninit en __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 nla_validate_range_unsigned lib/nlattr.c:222 [en línea] nla_validate_int_range lib/nlattr.c:336 [en línea] validar_nla lib/nlattr.c:575 [en línea] ... El mensaje en cuestión coincide con esta política: [NFTA_TARGET_REV] = NLA_POLICY_MAX( NLA_BE32, 255), pero debido a que el tamaño de NLA_BE32 en la matriz minlen es 0, el código de validación leerá más allá del atributo con formato incorrecto (demasiado pequeño). Nota: También faltan otros atributos, por ejemplo, BITFIELD32, SINT, UINT...: probablemente también deberían agregarse.

In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline] BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline] BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline] BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631 nla_validate_range_unsigned lib/nlattr.c:222 [inline] nla_validate_int_range lib/nlattr.c:336 [inline] validate_nla lib/nlattr.c:575 [inline] ... The message in question matches this policy: [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255), but because NLA_BE32 size in minlen array is 0, the validation code will read past the malformed (too small) attribute. Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing: those likely should be added too.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-18 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0ac219c4c3ab253f3981f346903458d20bacab32	2024-03-06
https://git.kernel.org/stable/c/a2ab028151841cd833cb53eb99427e0cc990112d	2024-03-06
https://git.kernel.org/stable/c/7a9d14c63b35f89563c5ecbadf918ad64979712d	2024-03-06
https://git.kernel.org/stable/c/9a0d18853c280f6a0ee99f91619f2442a17a323a	2024-02-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.81 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.81"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.8"		en		Affected