CVE-2024-50215: nvmet-auth: assign dh_key to NULL after kfree_sensitive
First published: Sat Nov 09 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: nvmet-auth: assign dh_key to NULL after kfree_sensitive ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup() for the same controller. So it's better to nullify it after release on error path in order to avoid double free later in nvmet_destroy_auth(). Found by Linux Verification Center (linuxtesting.org) with Svace.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=6.0<6.1.116 | |
| Linux Kernel | >=6.2<6.6.60 | |
| Linux Kernel | >=6.7<6.11.7 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| Linux Kernel | =6.12-rc3 | |
| Linux Kernel | =6.12-rc4 | |
| Linux Kernel | =6.12-rc5 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.133-1 6.12.21-1 6.12.22-1 | |
| debian/linux-6.1 | 6.1.129-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/c94e965f766321641ec38e4eece9ce8884543244
- https://git.kernel.org/stable/c/c60af16e1d6cc2237d58336546d6adfc067b6b8f
- https://git.kernel.org/stable/c/e61bd51e44409495d75847e9230736593e4c8710
- https://git.kernel.org/stable/c/d2f551b1f72b4c508ab9298419f6feadc3b5d791
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50215
- https://nvd.nist.gov/vuln/detail/CVE-2024-50215
- https://launchpad.net/bugs/cve/CVE-2024-50215
- https://security-tracker.debian.org/tracker/CVE-2024-50215
- https://ubuntu.com/security/CVE-2024-50215
- https://git.kernel.org/linus/d2f551b1f72b4c508ab9298419f6feadc3b5d791
Frequently Asked Questions
What is the severity of CVE-2024-50215?
CVE-2024-50215 has a moderate severity level due to potential information leakage and denial of service risks.
How do I fix CVE-2024-50215?
To fix CVE-2024-50215, update your Linux kernel to a version that includes the patch, specifically versions after 6.1.116, 6.6.60, or 6.11.7.
Which versions of the Linux kernel are affected by CVE-2024-50215?
CVE-2024-50215 affects Linux kernel versions from 6.0 up to 6.1.116, from 6.2 up to 6.6.60, and from 6.7 up to 6.11.7, including specific release candidates.
What components are impacted by CVE-2024-50215?
CVE-2024-50215 impacts components related to the nvmet-auth function in the Linux kernel, particularly during the handling of the dh_key.
Is CVE-2024-50215 common in Linux distributions?
Yes, CVE-2024-50215 is a common vulnerability found across various Linux distributions that utilize affected kernel versions.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- agent/references
- agent/source
- agent/tags
- agent/description
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.0
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- version/linux kernel/6.12-rc3
- version/linux kernel/6.12-rc4
- version/linux kernel/6.12-rc5
- package-manager/debian