Linux Kernel Security Update Advisory (CVE-2024-26592, CVE-2024-26594)

Feb 28 2024

Overview

An update has been made available to fix vulnerabilities in the Linux Kernel. Users of affected versions are advised to update to the latest version.

Affected Products

The following CVEs are only affected if ksmbd is enabled on the Linux system.

CVE-2024-26592

Linux Kernel after commit a848c4f15ab6 and before commit 999daf367b92 (before 5.15.149)
Versions since Linux Kernel a848c4f15ab6 commit and before 380965e48e9c commit (less than 6.1.75)
Linux Kernel a848c4f15ab6 and later but before the 24290ba94cd0 commit (less than 6.6.14)
Linux Kernel a848c4f15ab6 and later but before the 69d54650b751 commit (< 6.7.2)
Linux Kernel since commit a848c4f15ab6 and before commit 38d20c62903d(less than 6.8-rc1)

CVE-2024-26594

Linux Kernel since the 1da177e4c3f4 commit and before the dd1de9268745 commit (before 5.15.149)
Versions since Linux Kernel 1da177e4c3f4 commit and before 6eb8015492bc commit (less than 6.1.75)
Versions since Linux Kernel 1da177e4c3f4 commit and before a2b21ef1ea4c commit (less than 6.6.14)
Versions since Linux Kernel 1da177e4c3f4 commit and before 5e6dfec95833 commit (less than 6.7.2)
Linux Kernel 1da177e4c3f4 and later but before the 92e470163d96 commit(less than 6.8-rc1)

Resolved Vulnerabilities

USE AFTER FREE vulnerability in the ksmbd_tcp_new_connection() function in the Linux Kernel (CVE-2024-26592)
Information Disclosure vulnerability due to a flaw in SMB2 Mech token handling in the Linux Kernel (CVE-2024-26594)

Vulnerability Patches

CVE-2024-26592

All versions of the Linux Kernel prior to version 5.15
Linux Kernel versions 5.15.149 through 5.15.* (fixed in 5.15.149 with commit 380965e48e9c)
Linux Kernel 6.1.75 through 6.1.* (fixed in 6.1.75 with commit 380965e48e9c)
Linux Kernel 6.6.14 through 6.6.* (Fixed in 6.6.14 with commit 24290ba94cd0)
Linux Kernel 6.7.2 through 6.7.* (Fixed in 6.7.2 with commit 69d54650b751)
Linux Kernel 6.8-rc1 versions (fixed in 6.8-rc1 with commit 38d20c62903d)

CVE-2024-26594

Linux Kernel 5.15.149 through 5.15.x (Fixed in 5.15.149 with commit dd1de9268745)
Linux Kernel 6.1.75 through 6.1.x (fixed in 6.1.75 with commit 6eb8015492bc)
Linux Kernel 6.6.14 through 6.6.x (Fixed in 6.6.14 with commit a2b21ef1ea4c)
Linux Kernel 6.7.2 through 6.7.x (Fixed in 6.7.2 with commit 5e6dfec95833)
Linux Kernel 6.8-rc1 versions (fixed in 6.8-rc1 with commit 92e470163d96)

Referenced Sites

[1] CVE-2024-26592
https://www.cve.org/CVERecord?id=CVE-2024-26592
[2] CVE-2024-26594
https://www.cve.org/CVERecord?id=CVE-2024-26594
[3] CVE-2024-26592: ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
https://lore.kernel.org/linux-CVE-announce/2024022259-CVE-2024-26592-58f7@gregkh/T/#u
[4] CVE-2024-26594: ksmbd: validate mech token in session setup
https://lore.kernel.org/linux-CVE-announce/2024022325-CVE-2024-26594-1cbc@gregkh/T/#u

Linux Kernel Security Update Advisory (CVE-2024-26592, CVE-2024-26594)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

WordPress Ultimate Member Plugin Security Update Advisory (CVE-2024-1071)

Advisory for aiohttp Framework Security Update (CVE-2024-23334)

Overview

Affected Products

Resolved Vulnerabilities

Vulnerability Patches

Referenced Sites

Tags:

WordPress Ultimate Member Plugin Security Update Advisory (CVE-2024-1071)

Advisory for aiohttp Framework Security Update (CVE-2024-23334)