CVE-2024-26895 - Vulnerability Details

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c
https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lore.kernel.org/linux-cve-announce/2024041744-CVE-2024-26895-5eee@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26895
https://www.cve.org/CVERecord?id=CVE-2024-26895

Type	Values Removed	Values Added
References		https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux Linux Linux linux Kernel
CPEs		cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Debian Debian debian Linux Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Type	Values Removed	Values Added
References	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26895", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.186Z", "datePublished": "2024-04-17T10:27:46.585Z", "dateUpdated": "2026-05-12T11:50:14.419Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:06:29.936Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n safely modify the list as we go through each element. For each element,\n remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n sure it is safe to free the corresponding vif too (through\n unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/microchip/wilc1000/netdev.c"], "versions": [{"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "5956f4203b6cdd0755bbdd21b45f3933c7026208", "status": "affected", "versionType": "git"}, {"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "fe20e3d56bc911408fc3c27a17c59e9d7885f7d1", "status": "affected", "versionType": "git"}, {"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "a9545af2a533739ffb64d6c9a6fec6f13e2b505f", "status": "affected", "versionType": "git"}, {"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447", "status": "affected", "versionType": "git"}, {"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "24228dcf1d30c2231caa332be7d3090ac59fbfe9", "status": "affected", "versionType": "git"}, {"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb", "status": "affected", "versionType": "git"}, {"version": "8399918f3056e1033f0f4c08eab437fb38d6f22d", "lessThan": "cb5942b77c05d54310a0420cac12935e9b6aa21c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/microchip/wilc1000/netdev.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.214", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.153", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.83", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.23", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.11", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.2", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.214"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.153"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.7.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.8.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208"}, {"url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1"}, {"url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f"}, {"url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447"}, {"url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9"}, {"url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb"}, {"url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c"}], "title": "wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.707Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:48:12.761255Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:23.894Z"}}, {"x_adpType": "supplier", "providerMetadata": {"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-05-12T11:50:14.419Z"}, "affected": [{"vendor": "Siemens", "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}]}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.707Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:48:12.761255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:16.495Z"}}], "cna": {"title": "wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8399918f3056", "lessThan": "5956f4203b6c", "versionType": "git"}, {"status": "affected", "version": "8399918f3056", "lessThan": "fe20e3d56bc9", "versionType": "git"}, {"status": "affected", "version": "8399918f3056", "lessThan": "a9545af2a533", "versionType": "git"}, {"status": "affected", "version": "8399918f3056", "lessThan": "3da9d32b7f4a", "versionType": "git"}, {"status": "affected", "version": "8399918f3056", "lessThan": "24228dcf1d30", "versionType": "git"}, {"status": "affected", "version": "8399918f3056", "lessThan": "73a2aa0aef86", "versionType": "git"}, {"status": "affected", "version": "8399918f3056", "lessThan": "cb5942b77c05", "versionType": "git"}], "programFiles": ["drivers/net/wireless/microchip/wilc1000/netdev.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.5"}, {"status": "unaffected", "version": "0", "lessThan": "5.5", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.214", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.153", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.83", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.23", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.11", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.2", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/wireless/microchip/wilc1000/netdev.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208"}, {"url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1"}, {"url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f"}, {"url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447"}, {"url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9"}, {"url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb"}, {"url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n safely modify the list as we go through each element. For each element,\n remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n sure it is safe to free the corresponding vif too (through\n unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:17:47.384Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26895", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:17:47.384Z", "dateReserved": "2024-02-19T14:20:24.186Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-17T10:27:46.585Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "65987874-467B-4D3B-91D6-68A129B34FB8", "versionEndExcluding": "5.10.214", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACB69438-845D-4E3C-B114-3140611F9C0B", "versionEndExcluding": "5.15.153", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "121A07F6-F505-4C47-86BF-9BB6CC7B6C19", "versionEndExcluding": "6.1.83", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E00814DC-0BA7-431A-9926-80FEB4A96C68", "versionEndExcluding": "6.6.23", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD", "versionEndExcluding": "6.7.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1", "versionEndExcluding": "6.8.2", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n safely modify the list as we go through each element. For each element,\n remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n sure it is safe to free the corresponding vif too (through\n unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: wilc1000: evita el use-after-free en vif al limpiar todas las interfaces wilc_netdev_cleanup activa actualmente una advertencia KASAN, que se puede observar en la ruta del error de registro de la interfaz, o simplemente eliminando el m\u00f3dulo/dispositivo de desvinculaci\u00f3n del controlador: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ========================== ========================================= ERROR: KASAN: uso de losa despu\u00e9s -free en wilc_netdev_cleanup+0x508/0x5cc Lectura de tama\u00f1o 4 en addr c54d1ce8 por tarea sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Nombre de hardware: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack de dump_stack_lvl+0x34/0x58 dump_stack_lvl de print_report+0x154/0x500 print_report de kasan_report+0xac/0xd8 kasan_report de wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup de wilc_bus_remove+0xc8/0xec wilc_bus_remove de spi_remove+0x8c/0xac spi_remove de dispositivo_release_driver_internal+0x434/0x5f8 dispositivo_release_driver_internal de unbind_store+0xbc/0x108 unbind_store de kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter de vfs_write+0x728/0xf88 vfs_write de ksys_write+0x110/0x1e4 ksys_write de ret_fast_syscall+0x0/0 x1c [...] Asignado por la tarea 1: kasan_save_track+0x30/0x5c __kasan_kmalloc +0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211 _init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 Actually_probe+0x270/0xdf4 __driver_probe_device +0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel _init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Liberado por tarea 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11 d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove +0x8c/0xac dispositivo_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] La investigaci\u00f3n inicial de David Mosberger-Tan [1] mostr\u00f3 que Este use-after-free se debe a la cancelaci\u00f3n del registro del dispositivo de red durante el recorrido de la lista vif. Al cancelar el registro de un dispositivo de red, dado que need_free_netdev se configur\u00f3 en verdadero durante el registro, el objeto netdevice tambi\u00e9n se libera y, como consecuencia, tambi\u00e9n el objeto vif correspondiente, ya que est\u00e1 adjunto a \u00e9l como datos privados del dispositivo de red. La siguiente aparici\u00f3n del bucle intenta acceder al puntero vif liberado a la lista para avanzar en la lista. Solucionar este use-after-free gracias a dos mecanismos: - navegar en la lista con list_for_each_entry_safe, que permite modificar de forma segura la lista a medida que avanzamos por cada elemento. Para cada elemento, elim\u00ednelo de la lista con list_del_rcu; aseg\u00farese de esperar a que finalice el per\u00edodo de gracia de RCU despu\u00e9s de cada eliminaci\u00f3n de vif para asegurarse de que tambi\u00e9n sea seguro liberar el vif correspondiente (a trav\u00e9s de unregister_netdev). Ya que estamos en un \"modificador\" de RCU. ruta (no una ruta de \"lector\"), y debido a que se espera que dicha ruta no sea concurrente con ning\u00fan otro modificador (estamos usando el bloqueo vif_mutex), no necesitamos usar la API de lista RCU, es por eso que podemos beneficiarnos de list_for_each_entry_safe . [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/"}], "id": "CVE-2024-26895", "lastModified": "2026-05-12T12:16:24.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-17T11:15:10.677", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces", "id": "2275659", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275659"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\nunwind_backtrace from show_stack+0x18/0x1c\nshow_stack from dump_stack_lvl+0x34/0x58\ndump_stack_lvl from print_report+0x154/0x500\nprint_report from kasan_report+0xac/0xd8\nkasan_report from wilc_netdev_cleanup+0x508/0x5cc\nwilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\nwilc_bus_remove from spi_remove+0x8c/0xac\nspi_remove from device_release_driver_internal+0x434/0x5f8\ndevice_release_driver_internal from unbind_store+0xbc/0x108\nunbind_store from kernfs_fop_write_iter+0x398/0x584\nkernfs_fop_write_iter from vfs_write+0x728/0xf88\nvfs_write from ksys_write+0x110/0x1e4\nksys_write from ret_fast_syscall+0x0/0x1c\n[...]\nAllocated by task 1:\nkasan_save_track+0x30/0x5c\n__kasan_kmalloc+0x8c/0x94\n__kmalloc_node+0x1cc/0x3e4\nkvmalloc_node+0x48/0x180\nalloc_netdev_mqs+0x68/0x11dc\nalloc_etherdev_mqs+0x28/0x34\nwilc_netdev_ifc_init+0x34/0x8ec\nwilc_cfg80211_init+0x690/0x910\nwilc_bus_probe+0xe0/0x4a0\nspi_probe+0x158/0x1b0\nreally_probe+0x270/0xdf4\n__driver_probe_device+0x1dc/0x580\ndriver_probe_device+0x60/0x140\n__driver_attach+0x228/0x5d4\nbus_for_each_dev+0x13c/0x1a8\nbus_add_driver+0x2a0/0x608\ndriver_register+0x24c/0x578\ndo_one_initcall+0x180/0x310\nkernel_init_freeable+0x424/0x484\nkernel_init+0x20/0x148\nret_from_fork+0x14/0x28\nFreed by task 86:\nkasan_save_track+0x30/0x5c\nkasan_save_free_info+0x38/0x58\n__kasan_slab_free+0xe4/0x140\nkfree+0xb0/0x238\ndevice_release+0xc0/0x2a8\nkobject_put+0x1d4/0x46c\nnetdev_run_todo+0x8fc/0x11d0\nwilc_netdev_cleanup+0x1e4/0x5cc\nwilc_bus_remove+0xc8/0xec\nspi_remove+0x8c/0xac\ndevice_release_driver_internal+0x434/0x5f8\nunbind_store+0xbc/0x108\nkernfs_fop_write_iter+0x398/0x584\nvfs_write+0x728/0xf88\nksys_write+0x110/0x1e4\nret_fast_syscall+0x0/0x1c\n[...]\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\nsafely modify the list as we go through each element. For each element,\nremove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\nsure it is safe to free the corresponding vif too (through\nunregister_netdev)\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/"], "name": "CVE-2024-26895", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26895\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26895\nhttps://lore.kernel.org/linux-cve-announce/2024041744-CVE-2024-26895-5eee@gregkh/T"], "threat_severity": "Low"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object