CVE-2024-26978: serial: max310x: fix NULL pointer dereference in I2C instantiation
First published: Wed May 01 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: serial: max310x: fix NULL pointer dereference in I2C instantiation When trying to instantiate a max14830 device from userspace: echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device we get the following error: Unable to handle kernel NULL pointer dereference at virtual address... ... Call trace: max310x_i2c_probe+0x48/0x170 [max310x] i2c_device_probe+0x150/0x2a0 ... Add check for validity of devtype to prevent the error, and abort probe with a meaningful error message.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <5.4.274 | |
| Linux Kernel | >=5.5<5.10.215 | |
| Linux Kernel | >=5.11<6.1.84 | |
| Linux Kernel | >=6.2<6.6.24 | |
| Linux Kernel | >=6.7<6.7.12 | |
| Linux Kernel | >=6.8<=6.8.3 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.135-1 6.12.22-1 6.12.25-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/0d27056c24efd3d63a03f3edfbcfc4827086b110
- https://git.kernel.org/stable/c/12609c76b755dbeb1645c0aacc0f0f4743b2eff3
- https://git.kernel.org/stable/c/2160ad6861c4a21d3fa553d7b2aaec6634a37f8a
- https://git.kernel.org/stable/c/5cd8af02b466e1beeae13e2de3dc58fcc7925e5a
- https://git.kernel.org/stable/c/7d271b798add90c6196539167c019d0817285cf0
- https://git.kernel.org/stable/c/aeca49661fd02fd56fb026768b580ce301b45733
- https://git.kernel.org/stable/c/c45e53c27b78afd6c81fc25608003576f27b5735
- https://launchpad.net/bugs/cve/CVE-2024-26978
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26978
- https://nvd.nist.gov/vuln/detail/CVE-2024-26978
- https://security-tracker.debian.org/tracker/CVE-2024-26978
- https://ubuntu.com/security/CVE-2024-26978
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://git.kernel.org/linus/0d27056c24efd3d63a03f3edfbcfc4827086b110
Frequently Asked Questions
What is the severity of CVE-2024-26978?
CVE-2024-26978 is classified as a low-severity vulnerability due to the potential for a NULL pointer dereference in the Linux kernel.
How do I fix CVE-2024-26978?
To fix CVE-2024-26978, update your Linux kernel to a version that includes the patch, such as 5.10.223-1 or later.
What software versions are affected by CVE-2024-26978?
CVE-2024-26978 affects various versions of the Linux kernel from below 5.4.274 and between 5.5 and 6.8.3.
Is CVE-2024-26978 remotely exploitable?
CVE-2024-26978 is not considered remotely exploitable as it requires local access to the device.
What type of vulnerability is CVE-2024-26978?
CVE-2024-26978 is a NULL pointer dereference vulnerability that occurs during the instantiation of a max14830 device.
- agent/title
- agent/type
- agent/severity
- agent/weakness
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/trending
- agent/event
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.8
- version/linux kernel/6.8.3
- package-manager/debian