{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-27066", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.216Z", "datePublished": "2024-05-01T13:04:12.582Z", "dateUpdated": "2026-05-11T20:09:43.831Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:09:43.831Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: packed: fix unmap leak for indirect desc table\n\nWhen use_dma_api and premapped are true, then the do_unmap is false.\n\nBecause the do_unmap is false, vring_unmap_extra_packed is not called by\ndetach_buf_packed.\n\n if (unlikely(vq->do_unmap)) {\n curr = id;\n for (i = 0; i < state->num; i++) {\n vring_unmap_extra_packed(vq,\n &vq->packed.desc_extra[curr]);\n curr = vq->packed.desc_extra[curr].next;\n }\n }\n\nSo the indirect desc table is not unmapped. This causes the unmap leak.\n\nSo here, we check vq->use_dma_api instead. Synchronously, dma info is\nupdated based on use_dma_api judgment\n\nThis bug does not occur, because no driver use the premapped with\nindirect."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/virtio/virtio_ring.c"], "versions": [{"version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "e142169aca5546ae6619c39a575cda8105362100", "status": "affected", "versionType": "git"}, {"version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "75450ff8c6fe8755bf5b139b238eaf9739cfd64e", "status": "affected", "versionType": "git"}, {"version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "51bacd9d29bf98c3ebc65e4a0477bb86306b4140", "status": "affected", "versionType": "git"}, {"version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/virtio/virtio_ring.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.23", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.11", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.2", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.7.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.8.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e142169aca5546ae6619c39a575cda8105362100"}, {"url": "https://git.kernel.org/stable/c/75450ff8c6fe8755bf5b139b238eaf9739cfd64e"}, {"url": "https://git.kernel.org/stable/c/51bacd9d29bf98c3ebc65e4a0477bb86306b4140"}, {"url": "https://git.kernel.org/stable/c/d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd"}], "title": "virtio: packed: fix unmap leak for indirect desc table", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-13T18:28:27.748226Z", "id": "CVE-2024-27066", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T14:58:09.210Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:57.845Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e142169aca5546ae6619c39a575cda8105362100", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/75450ff8c6fe8755bf5b139b238eaf9739cfd64e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/51bacd9d29bf98c3ebc65e4a0477bb86306b4140", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e142169aca5546ae6619c39a575cda8105362100", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/75450ff8c6fe8755bf5b139b238eaf9739cfd64e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/51bacd9d29bf98c3ebc65e4a0477bb86306b4140", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:57.845Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-13T18:28:27.748226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-13T18:28:55.684Z"}}], "cna": {"title": "virtio: packed: fix unmap leak for indirect desc table", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "e142169aca5546ae6619c39a575cda8105362100", "versionType": "git"}, {"status": "affected", "version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "75450ff8c6fe8755bf5b139b238eaf9739cfd64e", "versionType": "git"}, {"status": "affected", "version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "51bacd9d29bf98c3ebc65e4a0477bb86306b4140", "versionType": "git"}, {"status": "affected", "version": "b319940f83c21bb4c1fabffe68a862be879a6193", "lessThan": "d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd", "versionType": "git"}], "programFiles": ["drivers/virtio/virtio_ring.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.6"}, {"status": "unaffected", "version": "0", "lessThan": "6.6", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.23", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.11", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.2", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/virtio/virtio_ring.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e142169aca5546ae6619c39a575cda8105362100"}, {"url": "https://git.kernel.org/stable/c/75450ff8c6fe8755bf5b139b238eaf9739cfd64e"}, {"url": "https://git.kernel.org/stable/c/51bacd9d29bf98c3ebc65e4a0477bb86306b4140"}, {"url": "https://git.kernel.org/stable/c/d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: packed: fix unmap leak for indirect desc table\n\nWhen use_dma_api and premapped are true, then the do_unmap is false.\n\nBecause the do_unmap is false, vring_unmap_extra_packed is not called by\ndetach_buf_packed.\n\n if (unlikely(vq->do_unmap)) {\n curr = id;\n for (i = 0; i < state->num; i++) {\n vring_unmap_extra_packed(vq,\n &vq->packed.desc_extra[curr]);\n curr = vq->packed.desc_extra[curr].next;\n }\n }\n\nSo the indirect desc table is not unmapped. This causes the unmap leak.\n\nSo here, we check vq->use_dma_api instead. Synchronously, dma info is\nupdated based on use_dma_api judgment\n\nThis bug does not occur, because no driver use the premapped with\nindirect."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:53:42.892Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27066", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:53:42.892Z", "dateReserved": "2024-02-19T14:20:24.216Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-01T13:04:12.582Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B28A88F-F85F-4008-8F7C-44FC9152916E", "versionEndExcluding": "6.6.23", "versionStartIncluding": "6.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD", "versionEndExcluding": "6.7.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1", "versionEndExcluding": "6.8.2", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio: packed: fix unmap leak for indirect desc table\n\nWhen use_dma_api and premapped are true, then the do_unmap is false.\n\nBecause the do_unmap is false, vring_unmap_extra_packed is not called by\ndetach_buf_packed.\n\n if (unlikely(vq->do_unmap)) {\n curr = id;\n for (i = 0; i < state->num; i++) {\n vring_unmap_extra_packed(vq,\n &vq->packed.desc_extra[curr]);\n curr = vq->packed.desc_extra[curr].next;\n }\n }\n\nSo the indirect desc table is not unmapped. This causes the unmap leak.\n\nSo here, we check vq->use_dma_api instead. Synchronously, dma info is\nupdated based on use_dma_api judgment\n\nThis bug does not occur, because no driver use the premapped with\nindirect."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: virtio: empaquetado: corrige la fuga de desasignaci\u00f3n para la tabla desc indirecta Cuando use_dma_api y premapped son verdaderos, entonces do_unmap es falso. Debido a que do_unmap es falso, detach_buf_packed no llama a vring_unmap_extra_packed. if (improbable(vq-&gt;do_unmap)) { curr = id; for (i = 0; i &lt; estado-&gt;num; i++) { vring_unmap_extra_packed(vq, &amp;vq-&gt;packed.desc_extra[curr]); curr = vq-&gt;packed.desc_extra[curr].next; } } Por lo tanto, la tabla de descripci\u00f3n indirecta no est\u00e1 desasignada. Esto provoca la fuga de desasignaci\u00f3n. As\u00ed que aqu\u00ed marcamos vq-&gt;use_dma_api en su lugar. Sincr\u00f3nicamente, la informaci\u00f3n de dma se actualiza seg\u00fan el criterio use_dma_api. Este error no ocurre porque ning\u00fan controlador utiliza el preasignado con indirecto."}], "id": "CVE-2024-27066", "lastModified": "2025-09-18T16:56:30.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-01T13:15:50.850", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/51bacd9d29bf98c3ebc65e4a0477bb86306b4140"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/75450ff8c6fe8755bf5b139b238eaf9739cfd64e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e142169aca5546ae6619c39a575cda8105362100"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/51bacd9d29bf98c3ebc65e4a0477bb86306b4140"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/75450ff8c6fe8755bf5b139b238eaf9739cfd64e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e142169aca5546ae6619c39a575cda8105362100"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: virtio: packed: fix unmap leak for indirect desc table", "id": "2278378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278378"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvirtio: packed: fix unmap leak for indirect desc table\nWhen use_dma_api and premapped are true, then the do_unmap is false.\nBecause the do_unmap is false, vring_unmap_extra_packed is not called by\ndetach_buf_packed.\nif (unlikely(vq->do_unmap)) {\ncurr = id;\nfor (i = 0; i < state->num; i++) {\nvring_unmap_extra_packed(vq,\n&vq->packed.desc_extra[curr]);\ncurr = vq->packed.desc_extra[curr].next;\n}\n}\nSo the indirect desc table is not unmapped. This causes the unmap leak.\nSo here, we check vq->use_dma_api instead. Synchronously, dma info is\nupdated based on use_dma_api judgment\nThis bug does not occur, because no driver use the premapped with\nindirect.", "A vulnerability was found in the Linux kernel's virtio virtio_ring.c driver, which can lead to memory leakage caused by improper checks. This issue can occur when use_dma_api and premapped are true, causing do_unmap to be false, preventing the detach_buf_packed() function from calling vring_unmap_extra_packed(), leaving the indirect description table mapped. This can lead to resource exhaustion over time."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-27066", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-27066\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27066\nhttps://lore.kernel.org/linux-cve-announce/2024050132-CVE-2024-27066-686a@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T22:31:17.605319+00:00", "updated": "2025-07-12T22:31:17.605405+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}