CVE-2024-26851: netfilter: nf_conntrack_h323: Add protection for bmp length out of range
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfconntrackh323: Add protection for bmp length out of range
The Linux kernel CVE team has assigned CVE-2024-26851 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041723-CVE-2024-26851-4652@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfconntrackh323: Add protection for bmp length out of range
UBSAN load reports an exception of BRK#5515 SHIFTISSUE:Bitwise shifts that are out of bounds for their data type.
vmlinux getbitmap(b=75) + 712
vmlinux decodeseq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956
vmlinux decodechoice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
vmlinux decodeseq(f=0xFFFFFFD0080371A8, level=134443500) + 812
vmlinux decodechoice(base=0xFFFFFFD008037280, level=0) + 1216
vmlinux DecodeRasMessage() + 304
vmlinux rashelp() + 684
vmlinux nfconfirm() + 188
Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message then uses the length to make a shift operation. It will change into negative after several loop. UBSAN load could detect a negative shift as an undefined behaviour and reports exception. So we add the protection to avoid the length exceeding 32. Or else it will return out of range error and stop decoding.
— IBM
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfconntrackh323: Add protection for bmp length out of range
UBSAN load reports an exception of BRK#5515 SHIFTISSUE:Bitwise shifts that are out of bounds for their data type.
vmlinux getbitmap(b=75) + 712 <net/netfilter/nfconntrackh323asn1.c:0> vmlinux decodeseq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 <net/netfilter/nfconntrackh323asn1.c:592> vmlinux decodechoice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 <net/netfilter/nfconntrackh323asn1.c:814> vmlinux decodeseq(f=0xFFFFFFD0080371A8, level=134443500) + 812 <net/netfilter/nfconntrackh323asn1.c:576> vmlinux decodechoice(base=0xFFFFFFD008037280, level=0) + 1216 <net/netfilter/nfconntrackh323asn1.c:814> vmlinux DecodeRasMessage() + 304 <net/netfilter/nfconntrackh323asn1.c:833> vmlinux rashelp() + 684 <net/netfilter/nfconntrackh323main.c:1728> vmlinux nfconfirm() + 188 <net/netfilter/nfconntrackproto.c:137>
Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message then uses the length to make a shift operation. It will change into negative after several loop. UBSAN load could detect a negative shift as an undefined behaviour and reports exception. So we add the protection to avoid the length exceeding 32. Or else it will return out of range error and stop decoding.
— NVD
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-26851?
CVE-2024-26851 has a medium severity rating due to the potential for denial of service attacks via exploit attempts.
How do I fix CVE-2024-26851?
To fix CVE-2024-26851, upgrade the Linux kernel to a version that is not affected, such as 4.19.310 or later versions specified by your distribution.
What are the affected Linux kernel versions for CVE-2024-26851?
CVE-2024-26851 affects multiple Linux kernel versions, including but not limited to 4.19.x, 5.4.x, 5.10.x, 5.15.x, 6.1.x, and 6.6.x.
Is there a patch available for CVE-2024-26851?
Yes, a patch for CVE-2024-26851 is available as part of the kernel updates provided by Red Hat and Debian.
What types of systems are vulnerable to CVE-2024-26851?
Systems running affected versions of the Linux kernel, particularly those utilizing netfilter and related networking features, are vulnerable to CVE-2024-26851.