- Vulnerability/
- CVE-2024-26763
CVE-2024-26763: dm-crypt: don't modify the data when using authenticated encryption
First published: Wed Apr 03 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: dm-crypt: don't modify the data when using authenticated encryption It was said that authenticated encryption could produce invalid tag when the data that is being encrypted is modified [1]. So, fix this problem by copying the data into the clone bio first and then encrypt them inside the clone bio. This may reduce performance, but it is needed to prevent the user from corrupting the device by writing data with O_DIRECT and modifying them at the same time. [1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.119-1 6.12.11-1 6.12.12-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa
- https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529
- https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90
- https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e
- https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7
- https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75
- https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857
- https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6
- https://launchpad.net/bugs/cve/CVE-2024-26763
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26763
- https://nvd.nist.gov/vuln/detail/CVE-2024-26763
- https://security-tracker.debian.org/tracker/CVE-2024-26763
- https://ubuntu.com/security/CVE-2024-26763
- https://git.kernel.org/linus/50c70240097ce41fe6bce6478b80478281e4d0f7
Frequently Asked Questions
What is the severity of CVE-2024-26763?
CVE-2024-26763 is classified as a medium severity vulnerability due to the potential for data integrity issues.
How do I fix CVE-2024-26763?
To mitigate CVE-2024-26763, update the Linux kernel to a safe version such as 5.10.223-1, 5.10.226-1, 6.1.119-1, 6.1.123-1, 6.12.11-1, or 6.12.12-1.
What vulnerabilities does CVE-2024-26763 address?
CVE-2024-26763 addresses issues with the dm-crypt implementation that could lead to invalid tag production when authenticated encryption is performed on modified data.
Which systems are affected by CVE-2024-26763?
CVE-2024-26763 affects systems running vulnerable versions of the Linux kernel, notably those using the dm-crypt module.
Is CVE-2024-26763 exploitable remotely?
CVE-2024-26763 is not considered remotely exploitable as it requires local access to the affected system to exploit the vulnerability.
- agent/severity
- agent/title
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-api
- source/NVD
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/event
- agent/description
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- package-manager/debian