0.0
NA
CVE-2024-26859
"Brocade bnx2x Linux Kernel EEH Error Handling and Page Pool Vulnerability"
Description

In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2x_io_slot_reset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; 803 struct page *page = sw_buf->page; .... where sw_buf was set to NULL after the call to dma_unmap_page() by the preceding thread. EEH: Beginning: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 To solve this issue, we need to verify page pool allocations before freeing.

INFO

Published Date :

April 17, 2024, 11:15 a.m.

Last Modified :

Nov. 21, 2024, 9:03 a.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

Exploitability Score :

Affected Products

The following products are affected by CVE-2024-26859 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-26859.

URL Resource
https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb
https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec
https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4
https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9
https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699
https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598
https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68
https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c
https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d
https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb
https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec
https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4
https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9
https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699
https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598
https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68
https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c
https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-26859 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-26859 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 04, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-362
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (excluding) 6.7.11 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 from (excluding) 6.6.23 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 from (excluding) 6.1.83 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 from (excluding) 5.15.153 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 from (excluding) 5.10.214 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 from (excluding) 5.4.273 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.2 from (excluding) 4.19.311 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.8 from (excluding) 6.8.2
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added Reference Type CVE: https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d Types: Mailing List, Patch
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb
    Added Reference https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec
    Added Reference https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4
    Added Reference https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9
    Added Reference https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699
    Added Reference https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598
    Added Reference https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68
    Added Reference https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c
    Added Reference https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Apr. 17, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: net/bnx2x: Prevent access to a freed page in page_pool Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2x_io_slot_reset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; 803 struct page *page = sw_buf->page; .... where sw_buf was set to NULL after the call to dma_unmap_page() by the preceding thread. EEH: Beginning: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 To solve this issue, we need to verify page pool allocations before freeing.
    Added Reference kernel.org https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-26859 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-26859 weaknesses.

NONE - Vulnerability Scoring System
:
© cvefeed.io
Latest DB Update: Jul. 02, 2025 22:40