5.5
MEDIUM
CVE-2024-26675
Linux PPP Async Kernel Out-of-Bounds Write
Description

In the Linux kernel, the following vulnerability has been resolved: ppp_async: limit MRU to 64K syzbot triggered a warning [1] in __alloc_pages(): WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) [1]: WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 Modules linked in: CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: events_unbound flush_to_ldisc pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 sp : ffff800093967580 x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 Call trace: __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 __do_kmalloc_node mm/slub.c:3969 [inline] __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 netdev_alloc_skb include/linux/skbuff.h:3235 [inline] dev_alloc_skb include/linux/skbuff.h:3248 [inline] ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 receive_buf drivers/tty/tty_buffer.c:444 [inline] flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

INFO

Published Date :

April 2, 2024, 7:15 a.m.

Last Modified :

March 17, 2025, 3:42 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-26675 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
1 Debian debian_linux
: Total Affected Vendor : 2 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-26675.

URL Resource
https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8 Patch
https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16 Patch
https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed Patch
https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982 Patch
https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3 Patch
https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719 Patch
https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b Patch
https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8 Patch
https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8 Patch
https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16 Patch
https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed Patch
https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982 Patch
https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3 Patch
https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719 Patch
https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b Patch
https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8 Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-26675 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-26675 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 17, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-770
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 from (excluding) 5.15.149 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 from (excluding) 5.10.210 *cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 from (excluding) 5.4.269 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.12 from (excluding) 4.19.307 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 from (excluding) 6.1.78 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 from (excluding) 6.6.17 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (excluding) 6.7.5
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added Reference Type CVE: https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719 Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b Types: Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8 Types: Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8 Types: Patch
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8
    Added Reference https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16
    Added Reference https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed
    Added Reference https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982
    Added Reference https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3
    Added Reference https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719
    Added Reference https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b
    Added Reference https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 02, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: ppp_async: limit MRU to 64K syzbot triggered a warning [1] in __alloc_pages(): WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU) [1]: WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 Modules linked in: CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: events_unbound flush_to_ldisc pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537 sp : ffff800093967580 x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000 x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0 x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8 x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120 x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005 x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000 x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001 x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0 Call trace: __alloc_pages+0x308/0x698 mm/page_alloc.c:4543 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926 __do_kmalloc_node mm/slub.c:3969 [inline] __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001 kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590 __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651 __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715 netdev_alloc_skb include/linux/skbuff.h:3235 [inline] dev_alloc_skb include/linux/skbuff.h:3248 [inline] ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline] ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341 tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390 tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37 receive_buf drivers/tty/tty_buffer.c:444 [inline] flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    Added Reference kernel.org https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-26675 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-26675 weaknesses.

CAPEC-125: Flooding Flooding CAPEC-130: Excessive Allocation Excessive Allocation CAPEC-147: XML Ping of the Death XML Ping of the Death CAPEC-197: Exponential Data Expansion Exponential Data Expansion CAPEC-229: Serialized Data Parameter Blowup Serialized Data Parameter Blowup CAPEC-230: Serialized Data with Nested Payloads Serialized Data with Nested Payloads CAPEC-231: Oversized Serialized Data Payloads Oversized Serialized Data Payloads CAPEC-469: HTTP DoS HTTP DoS CAPEC-482: TCP Flood TCP Flood CAPEC-486: UDP Flood UDP Flood CAPEC-487: ICMP Flood ICMP Flood CAPEC-488: HTTP Flood HTTP Flood CAPEC-489: SSL Flood SSL Flood CAPEC-490: Amplification Amplification CAPEC-491: Quadratic Data Expansion Quadratic Data Expansion CAPEC-493: SOAP Array Blowup SOAP Array Blowup CAPEC-494: TCP Fragmentation TCP Fragmentation CAPEC-495: UDP Fragmentation UDP Fragmentation CAPEC-496: ICMP Fragmentation ICMP Fragmentation CAPEC-528: XML Flood XML Flood
CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: