1. Home
  2. Vulnerabilities
  3. CVE-2024-26931
5.5
MEDIUM CVSS 3.1
CVE-2024-26931
Here's the title for the vulnerability: "QLogic qla2xxx SCSI Driver Null Pointer Dereference Vulnerability"
Description

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix command flush on cable pull System crash due to command failed to flush back to SCSI layer. BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] RIP: 0010:__wake_up_common+0x4c/0x190 Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75 RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __wake_up_common_lock+0x7c/0xc0 qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0 ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200. ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1 ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0 ? __switch_to+0x10c/0x450 ? process_one_work+0x1a7/0x360 qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201. ? worker_thread+0x1ce/0x390 ? create_worker+0x1a0/0x1a0 qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70 ? kthread+0x10a/0x120 qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8 ? set_kthread_struct+0x40/0x40 qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed. ? ret_from_fork+0x1f/0x40 qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout The system was under memory stress where driver was not able to allocate an SRB to carry out error recovery of cable pull. The failure to flush causes upper layer to start modifying scsi_cmnd. When the system frees up some memory, the subsequent cable pull trigger another command flush. At this point the driver access a null pointer when attempting to DMA unmap the SGL. Add a check to make sure commands are flush back on session tear down to prevent the null pointer access.

INFO

Published Date :

May 1, 2024, 6:15 a.m.

Last Modified :

Nov. 21, 2024, 9:03 a.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Products

The following products are affected by CVE-2024-26931 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
Solution
This vulnerability is addressed by updating the kernel packages to the latest versions.
  • Update the affected kernel packages.
  • Reboot the system after the update.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-26931.

URL Resource
https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211
https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac
https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d
https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d
https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1
https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a
https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a
https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9
https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150
https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211
https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac
https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d
https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d
https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1
https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a
https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a
https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9
https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-26931 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-26931 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-26931 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2024-26931 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Mar. 04, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Added CWE CWE-476
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 from (excluding) 5.10.215 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 from (excluding) 6.6.24 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (excluding) 6.7.12 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 from (excluding) 5.15.154 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 from (excluding) 6.1.84 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (excluding) 4.19.312 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 from (excluding) 5.4.274 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.8 from (excluding) 6.8.3
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added Reference Type CVE: https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9 Types: Mailing List, Patch
    Added Reference Type CVE: https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150 Types: Mailing List, Patch
    Added Reference Type kernel.org: https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150 Types: Mailing List, Patch
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Types: Mailing List
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211
    Added Reference https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac
    Added Reference https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d
    Added Reference https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d
    Added Reference https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1
    Added Reference https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a
    Added Reference https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a
    Added Reference https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9
    Added Reference https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
    Removed Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 29, 2024

    Action Type Old Value New Value
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    May. 01, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix command flush on cable pull System crash due to command failed to flush back to SCSI layer. BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] RIP: 0010:__wake_up_common+0x4c/0x190 Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75 RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __wake_up_common_lock+0x7c/0xc0 qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0 ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200. ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1 ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0 ? __switch_to+0x10c/0x450 ? process_one_work+0x1a7/0x360 qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201. ? worker_thread+0x1ce/0x390 ? create_worker+0x1a0/0x1a0 qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70 ? kthread+0x10a/0x120 qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8 ? set_kthread_struct+0x40/0x40 qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed. ? ret_from_fork+0x1f/0x40 qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout The system was under memory stress where driver was not able to allocate an SRB to carry out error recovery of cable pull. The failure to flush causes upper layer to start modifying scsi_cmnd. When the system frees up some memory, the subsequent cable pull trigger another command flush. At this point the driver access a null pointer when attempting to DMA unmap the SGL. Add a check to make sure commands are flush back on session tear down to prevent the null pointer access.
    Added Reference kernel.org https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 5.5
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact