#VU90010 Memory leak in Linux kernel - CVE-2024-26669


Vulnerability identifier: #VU90010

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26669

CWE-ID: CWE-401

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the fl_tmplt_destroy() function in net/sched/cls_flower.c, within the tcf_block_playback_offloads() and tc_chain_tmplt_add() functions in net/sched/cls_api.c, within the void() function in include/net/sch_generic.h. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97
https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01
https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


APEX Cloud Platform for Microsoft Azure update for third-party components
Anolis OS update for kernel
Multiple vulnerabilities in IBM Security Guardium
Ubuntu update for linux-azure-5.15
Multiple vulnerabilities in IBM Technical Support Appliance
Ubuntu update for linux-intel-iotg
Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak
Ubuntu update for linux-azure
Ubuntu update for linux-iot
Ubuntu update for linux-raspi