5.5
MEDIUM
CVE-2024-26663
Linux Kernel Tipc UDP Null Pointer Deref Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 ... Call Trace: <TASK> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The cause of this issue is that when tipc_nl_bearer_add() is called with the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called even if the bearer is not UDP. tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that the media_ptr field of the tipc_bearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers. This patch fixes the issue by checking the bearer type before calling tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().

INFO

Published Date :

April 2, 2024, 7:15 a.m.

Last Modified :

Jan. 7, 2025, 5:20 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-26663 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
1 Debian debian_linux
: Total Affected Vendor : 2 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-26663.

URL Resource
https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 Patch
https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 Patch
https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 Patch
https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 Patch
https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 Patch
https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f Patch
https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 Patch
https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 Patch
https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 Patch
https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 Patch
https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 Patch
https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 Patch
https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 Patch
https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f Patch
https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 Patch
https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-26663 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-26663 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jan. 07, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE NIST CWE-476
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.9 up to (excluding) 4.19.307 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.269 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.210 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.149 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.78 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.17 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.7.5 *cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
    Changed Reference Type https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 No Types Assigned https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 Patch
    Changed Reference Type https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 No Types Assigned https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 Patch
    Changed Reference Type https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 No Types Assigned https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 Patch
    Changed Reference Type https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 No Types Assigned https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 Patch
    Changed Reference Type https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 No Types Assigned https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 Patch
    Changed Reference Type https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 No Types Assigned https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 Patch
    Changed Reference Type https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 No Types Assigned https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 Patch
    Changed Reference Type https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 No Types Assigned https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 Patch
    Changed Reference Type https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 No Types Assigned https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 Patch
    Changed Reference Type https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 No Types Assigned https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 Patch
    Changed Reference Type https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f No Types Assigned https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f Patch
    Changed Reference Type https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f No Types Assigned https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f Patch
    Changed Reference Type https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 No Types Assigned https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 Patch
    Changed Reference Type https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 No Types Assigned https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 Patch
    Changed Reference Type https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 No Types Assigned https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 Patch
    Changed Reference Type https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 No Types Assigned https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 Patch
    Changed Reference Type https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html No Types Assigned https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List
    Changed Reference Type https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html No Types Assigned https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87
    Added Reference https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95
    Added Reference https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1
    Added Reference https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87
    Added Reference https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6
    Added Reference https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f
    Added Reference https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59
    Added Reference https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 02, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 ... Call Trace: <TASK> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The cause of this issue is that when tipc_nl_bearer_add() is called with the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called even if the bearer is not UDP. tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that the media_ptr field of the tipc_bearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers. This patch fixes the issue by checking the bearer type before calling tipc_udp_nl_bearer_add() in tipc_nl_bearer_add().
    Added Reference kernel.org https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-26663 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-26663 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: