#VU93806 Buffer overflow in Linux kernel - CVE-2024-26824

Vulnerability identifier: #VU93806

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26824

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the hash_sendmsg() and af_alg_free_sg() functions in crypto/algif_hash.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: 6.6, 6.6 rc1, 6.6 rc2, 6.6 rc3, 6.6 rc4, 6.6 rc5, 6.6 rc6, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 6.6.13, 6.6.14, 6.6.15, 6.6.16, 6.6.17, 6.7, 6.7 rc1, 6.7 rc2, 6.7 rc3, 6.7 rc5, 6.7 rc6, 6.7 rc7, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.8 rc1, 6.8 rc2, 6.8 rc5

---

External links
https://git.kernel.org/stable/c/9c82920359b7c1eddaf72069bcfe0ffddf088cd0
https://git.kernel.org/stable/c/775f3c1882a493168e08fdb8cde0865c8f3a8a29
https://git.kernel.org/stable/c/24c890dd712f6345e382256cae8c97abb0406b70
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.18
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.7.6
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.8

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.