{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-35893", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.113Z", "datePublished": "2024-05-19T08:34:48.737Z", "dateUpdated": "2026-05-12T11:52:28.473Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:13:17.005Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/act_skbmod.c"], "versions": [{"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "f190a4aa03cbd518bd9c62a66e1233984f5fd2ec", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "f356eb2fb567e0931143ac1769ac802d3b3e2077", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "5e45dc4408857305f4685abfd7a528a1e58b51b5", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "a097fc199ab5f4b5392c5144034c0d2148b55a14", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c", "status": "affected", "versionType": "git"}, {"version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "d313eb8b77557a6d5855f42d2234bd592c7b50dd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/act_skbmod.c"], "versions": [{"version": "4.9", "status": "affected"}, {"version": "0", "lessThan": "4.9", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.312", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.274", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.85", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.26", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.5", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "4.19.312"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "5.4.274"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "5.10.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "5.15.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.1.85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.6.26"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.8.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"}, {"url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"}, {"url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"}, {"url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"}, {"url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"}, {"url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"}, {"url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"}, {"url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"}], "title": "net/sched: act_skbmod: prevent kernel-infoleak", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T19:31:02.298124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:34.282Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.968Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}, {"x_adpType": "supplier", "providerMetadata": {"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-05-12T11:52:28.473Z"}, "affected": [{"vendor": "Siemens", "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}]}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.968Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35893", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T19:31:02.298124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:31:07.201Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "net/sched: act_skbmod: prevent kernel-infoleak", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "f190a4aa03cbd518bd9c62a66e1233984f5fd2ec", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "f356eb2fb567e0931143ac1769ac802d3b3e2077", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "5e45dc4408857305f4685abfd7a528a1e58b51b5", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "a097fc199ab5f4b5392c5144034c0d2148b55a14", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c", "versionType": "git"}, {"status": "affected", "version": "86da71b57383d40993cb90baafb3735cffe5d800", "lessThan": "d313eb8b77557a6d5855f42d2234bd592c7b50dd", "versionType": "git"}], "programFiles": ["net/sched/act_skbmod.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.9"}, {"status": "unaffected", "version": "0", "lessThan": "4.9", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.312", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.274", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.215", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.154", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.85", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.26", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.5", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/sched/act_skbmod.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"}, {"url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"}, {"url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"}, {"url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"}, {"url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"}, {"url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"}, {"url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"}, {"url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.312", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.274", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.215", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.154", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.85", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.26", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.5", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "4.9"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:07:46.833Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35893", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:07:46.833Z", "dateReserved": "2024-05-17T13:50:33.113Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-19T08:34:48.737Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "79FE93A0-BD1B-4463-8524-DBE9B6DEB79A", "versionEndExcluding": "4.19.312", "versionStartIncluding": "4.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F45A0F3C-C16D-49C4-86D6-D021C3D4B834", "versionEndExcluding": "5.4.274", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CD5894E-58E9-4B4A-B0F4-3E6BC134B8F5", "versionEndExcluding": "5.10.215", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "325665BF-2409-49D9-B391-39AD4566FDBD", "versionEndExcluding": "6.1.85", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C520696A-A594-4FFC-A32D-12DA535CE911", "versionEndExcluding": "6.6.26", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBD6C99E-4250-4DFE-8447-FF2075939D10", "versionEndExcluding": "6.8.5", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/sched: act_skbmod: prevent kernel-infoleak syzbot encontr\u00f3 que tcf_skbmod_dump() estaba copiando cuatro bytes de la pila del kernel al espacio de usuario [1]. El problema aqu\u00ed es que 'struct tc_skbmod' tiene un agujero de cuatro bytes. Necesitamos borrar la estructura antes de completar los campos. [1] ERROR: KMSAN: kernel-infoleak en instrument_copy_to_user include/linux/instrumented.h:114 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en copy_to_user_iter lib/iov_iter.c:24 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en iterate_ubuf include/linux/iov_iter.h:29 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en iterate_and_advance2 include/linux/iov_iter.h:245 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en iterate_and_advance include/linux/iov_iter. h:271 [en l\u00ednea] ERROR: KMSAN: kernel-infoleak en _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [en l\u00ednea] copy_to_user_iter lib/iov_iter.c:24 [en l\u00ednea] iterate_ubuf include/linux/iov_iter.h:29 [en l\u00ednea] iterate_and_advance2 include/linux/iov_iter.h:245 [en l\u00ednea] iterate_and_advance include/linux/iov_iter.h:271 [en l\u00ednea] _copy_to_iter+0x366/0x2520 lib/iov_iter.c: 185 copy_to_iter include/linux/uio.h:196 [en l\u00ednea] simple_copy_to_iter net/core/datagram.c:532 [en l\u00ednea] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/ datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [en l\u00ednea] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [en l\u00ednea] 0 neto/ socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [en l\u00ednea] __se_sys_recvfrom net/socket.c:2256 [en l\u00ednea] __x64_sys_recvfrom+0x126/0x1d0 net/ enchufe.c: 2256 do_syscall_64+0xd5/0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit se almacen\u00f3 en la memoria en: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:13 17 netlink_unicast+0x9f/ 0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [en l\u00ednea] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c: 741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [en l\u00ednea] tcf_add_notify net/sched/act_api.c:2048 [en l\u00ednea] tcf_action_add net/sched/act_api.c:2071 [en l\u00ednea] tc_ctl_action+0x146e/0x19d0 net/sched/act_api .c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net / enlace de red /af_netlink.c:1335 [en l\u00ednea] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 __sock_sendmsg + 0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 __do_sys_ enviar mensaje de red/socket. c:2676 [en l\u00ednea] __se_sys_sendmsg net/socket.c:2674 [en l\u00ednea] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 se almacen\u00f3 en la memoria en: __nla_put lib/nlattr .c:1041 [en l\u00ednea] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 tcf_action_dump_1+0x85 mi/ 0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [en l\u00ednea ] tcf_add_notify net/sched/act_api.c: 2042 [inline] tcf_action_add net/sched/act_api.c: 2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c: 2119 rtnetlink_rcv_msg+0x177/0x1900 rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncado---"}], "id": "CVE-2024-35893", "lastModified": "2026-05-12T12:16:39.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-19T09:15:10.307", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}, {"source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:5102", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5101", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.16.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}], "bugzilla": {"description": "kernel: net/sched: act_skbmod: prevent kernel-infoleak", "id": "2281682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281682"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: act_skbmod: prevent kernel-infoleak\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\nWe need to clear the structure before filling fields.\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopy_to_user_iter lib/iov_iter.c:24 [inline]\niterate_ubuf include/linux/iov_iter.h:29 [inline]\niterate_and_advance2 include/linux/iov_iter.h:245 [inline]\niterate_and_advance include/linux/iov_iter.h:271 [inline]\n_copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\ncopy_to_iter include/linux/uio.h:196 [inline]\nsimple_copy_to_iter net/core/datagram.c:532 [inline]\n__skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\nskb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\nskb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\nnetlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\nsock_recvmsg_nosec net/socket.c:1046 [inline]\nsock_recvmsg+0x2c4/0x340 net/socket.c:1068\n__sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n__do_sys_recvfrom net/socket.c:2260 [inline]\n__se_sys_recvfrom net/socket.c:2256 [inline]\n__x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\ndo_syscall_64+0xd5/0x1f0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nUninit was stored to memory at:\npskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\nnetlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\nnetlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\nnlmsg_unicast include/net/netlink.h:1144 [inline]\nnlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\nrtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\nrtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\ntcf_add_notify net/sched/act_api.c:2048 [inline]\ntcf_action_add net/sched/act_api.c:2071 [inline]\ntc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\nrtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\nnetlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\nrtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\nnetlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\nnetlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\nnetlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x30f/0x380 net/socket.c:745\n____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\ndo_syscall_64+0xd5/0x1f0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nUninit was stored to memory at:\n__nla_put lib/nlattr.c:1041 [inline]\nnla_put+0x1c6/0x230 lib/nlattr.c:1099\ntcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\ntcf_action_dump_old net/sched/act_api.c:1191 [inline]\ntcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\ntcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\ntca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\ntcf_add_notify_msg net/sched/act_api.c:2023 [inline]\ntcf_add_notify net/sched/act_api.c:2042 [inline]\ntcf_action_add net/sched/act_api.c:2071 [inline]\ntc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\nrtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\nnetlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---"], "name": "CVE-2024-35893", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35893\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35893\nhttps://lore.kernel.org/linux-cve-announce/2024051949-CVE-2024-35893-5132@gregkh/T"], "threat_severity": "Low"}

{}