CVE-2024-26870: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

Published Apr 17, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

NFSv4.2: fix nfs4listxattr kernel BUG at mm/usercopy.c:102

A call to listxattr() with a buffer size = 0 returns the actual size of the buffer needed for a subsequent call. When size > 0, nfs4listxattr() does not return an error because either genericlistxattr() or nfs4listxattrnfs4label() consumes exactly all the bytes then size is 0 when calling nfs4listxattrnfs4user() which then triggers the following kernel BUG:

[ 99.403778] kernel BUG at mm/usercopy.c:102! [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 [ 99.415827] Call trace: [ 99.415985] usercopyabort+0x70/0xa0 [ 99.416227] checkheapobject+0x134/0x158 [ 99.416505] checkheapobject+0x150/0x188 [ 99.416696] checkobjectsize.part.0+0x78/0x168 [ 99.416886] checkobjectsize+0x28/0x40 [ 99.417078] listxattr+0x8c/0x120 [ 99.417252] pathlistxattr+0x78/0xe0 [ 99.417476] arm64syslistxattr+0x28/0x40 [ 99.417723] invokesyscall+0x78/0x100 [ 99.417929] el0svccommon.constprop.0+0x48/0xf0 [ 99.418186] doel0svc+0x24/0x38 [ 99.418376] el0svc+0x3c/0x110 [ 99.418554] el0t64synchandler+0x120/0x130 [ 99.418788] el0t64sync+0x194/0x198 [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)

Issue is reproduced when genericlistxattr() returns 'system.nfs4acl', thus calling lisxattr() with size = 16 will trigger the bug.

Add check on nfs4listxattr() to return ERANGE error when it is called with size > 0 and the return value is greater than size.

Other sources

In the Linux kernel, the following vulnerability has been resolved:

NFSv4.2: fix nfs4listxattr kernel BUG at mm/usercopy.c:102

The Linux kernel CVE team has assigned CVE-2024-26870 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041738-CVE-2024-26870-7aea@gregkh/T

Red Hat

Linux Kernel is vulnerable to a denial of service, caused by a nfs4listxattr kernel BUG at mm/usercopy.c. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Affected Software

19 affected componentsFixes available
redhat/kernel<5.10.214
5.10.214
redhat/kernel<5.15.153
5.15.153
redhat/kernel<6.1.83
6.1.83
redhat/kernel<6.6.23
6.6.23
redhat/kernel<6.7.11
6.7.11
redhat/kernel<6.8.2
6.8.2
redhat/kernel<6.9
6.9
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
Linux Linux kernel>=5.9<5.10.214
Linux Linux kernel>=5.11<5.15.153
Linux Linux kernel>=5.16<6.1.83
Linux Linux kernel>=6.2<6.6.23
Linux Linux kernel>=6.7<6.7.11
Linux Linux kernel>=6.8<6.8.2
Debian Debian Linux=10.0
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1

Remediation

Patch Available

https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb

Patch Available

https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf

Patch Available

https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65

Patch Available

https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b

Patch Available

https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768

Patch Available

https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf

Patch Available

https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a

Event History

Apr 17, 2024
CVE Published
via MITRE·10:27 AM
Data Sourced
via MITRE·10:27 AM
Description
Data Sourced
via NVD·11:15 AM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Red Hat·06:33 PM
DescriptionSeverityAffected Software
Jun 8, 2024
Data Sourced
via Launchpad·01:08 AM
Description
May 6, 2025
Data Sourced
via Ubuntu·02:22 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-26870?

CVE-2024-26870 has been classified with a significant severity due to the potential for a kernel BUG in NFSv4.2.

2

How do I fix CVE-2024-26870?

To remediate CVE-2024-26870, upgrade your Linux kernel to the latest available versions as specified: 5.10.214, 5.15.153, 6.1.83, 6.6.23, 6.7.11, 6.8.2, or 6.9.

3

Which Linux kernel versions are affected by CVE-2024-26870?

CVE-2024-26870 affects various kernel versions including those below 5.10.214, 5.15.153, 6.1.83, 6.6.23, 6.7.11, 6.8.2, and 6.9.

4

Is there a specific command to check the current kernel version for CVE-2024-26870?

You can check your current kernel version by running the command 'uname -r' in the terminal.

5

What are the implications of not addressing CVE-2024-26870?

Failure to address CVE-2024-26870 may lead to system instability and potential exploitation through the NFSv4.2 interface.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203