{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26598", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.128Z", "datePublished": "2024-02-23T14:46:26.672Z", "dateUpdated": "2026-05-11T20:00:31.061Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:00:31.061Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/vgic/vgic-its.c"], "versions": [{"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "d04acadb6490aa3314f9c9e087691e55de153b88", "status": "affected", "versionType": "git"}, {"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "ba7be666740847d967822bed15500656b26bc703", "status": "affected", "versionType": "git"}, {"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "12c2759ab1343c124ed46ba48f27bd1ef5d2dff4", "status": "affected", "versionType": "git"}, {"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "dba788e25f05209adf2b0175eb1691dc89fb1ba6", "status": "affected", "versionType": "git"}, {"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "65b201bf3e9af1b0254243a5881390eda56f72d1", "status": "affected", "versionType": "git"}, {"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "dd3956a1b3dd11f46488c928cb890d6937d1ca80", "status": "affected", "versionType": "git"}, {"version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "ad362fe07fecf0aba839ff2cc59a3617bd42c33f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/arm64/kvm/vgic/vgic-its.c"], "versions": [{"version": "3.11", "status": "affected"}, {"version": "0", "lessThan": "3.11", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.269", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.209", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.148", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.75", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.14", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.2", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "5.4.269"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "5.10.209"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "5.15.148"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.1.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.6.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.7.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"}, {"url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"}, {"url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"}, {"url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"}, {"url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"}, {"url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"}, {"url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"}], "title": "KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.689Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "affected": [{"vendor": "linux", "product": "linux_kernel", "cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1da177e4c3f4", "status": "affected", "lessThan": "d04acadb6490", "versionType": "custom"}, {"version": "1da177e4c3f4", "status": "affected", "lessThan": "ba7be6667408", "versionType": "custom"}, {"version": "1da177e4c3f4", "status": "affected", "lessThan": "12c2759ab134", "versionType": "custom"}, {"version": "1da177e4c3f4", "status": "affected", "lessThan": "dba788e25f05", "versionType": "custom"}, {"version": "1da177e4c3f4", "status": "affected", "lessThan": "65b201bf3e9a", "versionType": "custom"}, {"version": "1da177e4c3f4", "status": "affected", "lessThan": "dd3956a1b3dd", "versionType": "custom"}, {"version": "1da177e4c3f4", "status": "affected", "lessThan": "ad362fe07fec", "versionType": "custom"}, {"version": "5.4.269", "status": "unaffected", "lessThanOrEqual": "5.5", "versionType": "custom"}, {"version": "5.10.209", "status": "unaffected", "lessThanOrEqual": "5.11", "versionType": "custom"}, {"version": "5.15.148", "status": "unaffected", "lessThanOrEqual": "5.16", "versionType": "custom"}, {"version": "6.1.75", "status": "unaffected", "lessThanOrEqual": "6.2", "versionType": "custom"}, {"version": "6.6.14", "status": "unaffected", "lessThanOrEqual": "6.7", "versionType": "custom"}, {"version": "6.7.2", "status": "unaffected", "lessThanOrEqual": "6.8", "versionType": "custom"}, {"version": "6.8", "status": "unaffected", "lessThanOrEqual": "*", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T16:15:47.782832Z", "id": "CVE-2024-26598", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T16:16:01.155Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.689Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-26598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-22T16:15:47.782832Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"], "vendor": "linux", "product": "linux_kernel", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "d04acadb6490", "versionType": "custom"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "ba7be6667408", "versionType": "custom"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "12c2759ab134", "versionType": "custom"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "dba788e25f05", "versionType": "custom"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "65b201bf3e9a", "versionType": "custom"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "dd3956a1b3dd", "versionType": "custom"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "ad362fe07fec", "versionType": "custom"}, {"status": "unaffected", "version": "5.4.269", "versionType": "custom", "lessThanOrEqual": "5.5"}, {"status": "unaffected", "version": "5.10.209", "versionType": "custom", "lessThanOrEqual": "5.11"}, {"status": "unaffected", "version": "5.15.148", "versionType": "custom", "lessThanOrEqual": "5.16"}, {"status": "unaffected", "version": "6.1.75", "versionType": "custom", "lessThanOrEqual": "6.2"}, {"status": "unaffected", "version": "6.6.14", "versionType": "custom", "lessThanOrEqual": "6.7"}, {"status": "unaffected", "version": "6.7.2", "versionType": "custom", "lessThanOrEqual": "6.8"}, {"status": "unaffected", "version": "6.8", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T15:34:11.687Z"}}], "cna": {"title": "KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "d04acadb6490aa3314f9c9e087691e55de153b88", "versionType": "git"}, {"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "ba7be666740847d967822bed15500656b26bc703", "versionType": "git"}, {"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "12c2759ab1343c124ed46ba48f27bd1ef5d2dff4", "versionType": "git"}, {"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "dba788e25f05209adf2b0175eb1691dc89fb1ba6", "versionType": "git"}, {"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "65b201bf3e9af1b0254243a5881390eda56f72d1", "versionType": "git"}, {"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "dd3956a1b3dd11f46488c928cb890d6937d1ca80", "versionType": "git"}, {"status": "affected", "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878", "lessThan": "ad362fe07fecf0aba839ff2cc59a3617bd42c33f", "versionType": "git"}], "programFiles": ["arch/arm64/kvm/vgic/vgic-its.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.11"}, {"status": "unaffected", "version": "0", "lessThan": "3.11", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.269", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.209", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.148", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.75", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.14", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.2", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["arch/arm64/kvm/vgic/vgic-its.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"}, {"url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"}, {"url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"}, {"url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"}, {"url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"}, {"url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"}, {"url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.269", "versionStartIncluding": "3.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.209", "versionStartIncluding": "3.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.148", "versionStartIncluding": "3.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.75", "versionStartIncluding": "3.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.14", "versionStartIncluding": "3.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.2", "versionStartIncluding": "3.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "3.11"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:00:31.061Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26598", "state": "PUBLISHED", "dateUpdated": "2026-05-11T20:00:31.061Z", "dateReserved": "2024-02-19T14:20:24.128Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-23T14:46:26.672Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2B90340-A8CC-4956-9F40-F37195011EC7", "versionEndExcluding": "5.4.269", "versionStartIncluding": "5.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "74979A03-4B10-4815-AE3E-C8C0D2FDAA39", "versionEndExcluding": "5.10.209", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2ED0CDB9-61B0-408E-B2A8-5199107F7868", "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "070D0ED3-90D0-4F95-B1FF-57D7F46F332D", "versionEndExcluding": "6.1.75", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14", "versionEndExcluding": "6.6.14", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7229C448-E0C9-488B-8939-36BA5254065E", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: vgic-its: Evite posibles UAF en la cach\u00e9 de traducci\u00f3n LPI. Existe un escenario potencial de UAF en el caso de que un cach\u00e9 de traducci\u00f3n LPI se acelere con una operaci\u00f3n que invalide la cach\u00e9, como un comando DISCARD ITS. La ra\u00edz del problema es que vgic_its_check_cache() no eleva el refcount en vgic_irq antes de eliminar el bloqueo que serializa los cambios de refcount. Haga que vgic_its_check_cache() aumente el refcount en el vgic_irq devuelto y agregue el decremento correspondiente despu\u00e9s de poner en cola la interrupci\u00f3n."}], "id": "CVE-2024-26598", "lastModified": "2024-11-21T09:02:37.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-23T15:15:09.610", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8161", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.126.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:8161", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.126.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:8161", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.126.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-16T00:00:00Z"}, {"advisory": "RHSA-2024:4740", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.64.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4415", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "kernel-0:5.14.0-70.105.1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:3855", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.69.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-06-12T00:00:00Z"}, {"advisory": "RHSA-2024:3854", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.69.1.rt14.354.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-06-12T00:00:00Z"}], "bugzilla": {"description": "kernel: kvm: Avoid potential UAF in LPI translation cache", "id": "2265801", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265801"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.", "A flaw was found in the Linux kernel pertaining to a potential use-after-free (UAF) scenario in a system involving Logical Partitioning Interrupts (LPI) translation cache operations. Specifically, the issue arises when a cache hit occurs concurrently with an operation that invalidates the cache, such as a DISCARD ITS command. The root cause is traced to vgic_its_check_cache() not appropriately managing the reference count of the vgic_irq object. Upon returning from this function, the reference count of vgic_irq is not incremented. This issue can lead to the object being prematurely freed while still in use by other parts of the system, potentially resulting in undefined behavior or system instability."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available for this vulnerability. Make sure to perform the updates as they become available."}, "name": "CVE-2024-26598", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26598\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26598\nhttps://lore.kernel.org/linux-cve-announce/2024022338-CVE-2024-26598-24f4@gregkh/T/#u"], "statement": "The vulnerability is assessed as having a Moderate severity due to its potential to cause system instability or undefined behavior under specific conditions. Specifically, the issue arises from concurrent operations involving the LPI translation cache and commands that invalidate this cache, such as DISCARD ITS commands. The root cause lies in vgic_its_check_cache() failing to increment the reference count of the vgic_irq object before releasing the lock. This oversight can lead to a use-after-free scenario where the object may be prematurely freed while still in use elsewhere in the system. As a consequence, if the object is accessed or modified after being freed, it can result in unpredictable behavior, crashes, or even security vulnerabilities if an attacker can control the timing of cache invalidation and subsequent accesses.", "threat_severity": "Moderate"}

{}