CVE-2024-26733
Oracle Solaris ARP Buffer Overflow
Description
In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK>
INFO
Published Date :
April 3, 2024, 5:15 p.m.
Last Modified :
March 17, 2025, 4:02 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
Affected Products
The following products are affected by CVE-2024-26733
vulnerability.
Even if cvefeed.io
is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-26733
.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-26733
vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-26733
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Mar. 17, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Added CWE CWE-787 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.80 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.150 *cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.10.211:*:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.12 up to (excluding) 5.10.211 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.19 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.7.7 *cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a1k_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a1k:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a70_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a70:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a90_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a90:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a700s:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:8300:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:8700:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a400:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:c400_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:c400:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a320_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a320:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a800_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a800:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:c800_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:c800:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a900_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a900:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:9500_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:9500:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:c190_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:c190:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a150_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a150:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a220_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a220:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:fas2720_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:fas2720:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:fas2750_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:fas2750:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:fas2820_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:fas2820:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a300_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a300:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:8200_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:8200:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:a700_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:a700:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:9000_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:9000:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:h610c_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h610c:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:h610s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h610s:*:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:o:netapp:h615c_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h615c:*:*:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (including) 11.70.2 Added Reference Type CVE: https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 Types: Patch Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List Added Reference Type CVE: https://security.netapp.com/advisory/ntap-20241101-0013/ Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a Added Reference https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 Added Reference https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 Added Reference https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 Added Reference https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 Added Reference https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Added Reference https://security.netapp.com/advisory/ntap-20241101-0013/ -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Nov. 05, 2024
Action Type Old Value New Value Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jun. 25, 2024
Action Type Old Value New Value Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned] -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 29, 2024
Action Type Old Value New Value -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 14, 2024
Action Type Old Value New Value -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Apr. 03, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK> Added Reference kernel.org https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-26733
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-26733
weaknesses.