CVE-2024-26878: quota: Fix potential NULL pointer dereference

Published Apr 17, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

quota: Fix potential NULL pointer dereference

Below race may cause NULL pointer dereference

P1 P2 dquotfreeinode quotaoff dropdquotref removedquotref dquots = idquot(inode) dquots = idquot(inode) srcureadlock dquots[cnt]) != NULL (1) dquots[type] = NULL (2) spinlock(&dquots[cnt]->dqdqblock) (3) ....

If dquotfreeinode(or other routines) checks inode's quota pointers (1) before quotaoff sets it to NULL(2) and use it (3) after that, NULL pointer dereference will be triggered.

So let's fix it by using a temporary pointer to avoid this issue.

Other sources

In the Linux kernel, the following vulnerability has been resolved:

quota: Fix potential NULL pointer dereference

The Linux kernel CVE team has assigned CVE-2024-26878 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041740-CVE-2024-26878-5748@gregkh/T

Red Hat

Affected Software

23 affected componentsFixes available
redhat/kernel<4.19.311
4.19.311
redhat/kernel<5.4.273
5.4.273
redhat/kernel<5.10.214
5.10.214
redhat/kernel<5.15.153
5.15.153
redhat/kernel<6.1.83
6.1.83
redhat/kernel<6.6.23
6.6.23
redhat/kernel<6.7.11
6.7.11
redhat/kernel<6.8.2
6.8.2
redhat/kernel<6.9
6.9
Linux Linux kernel<4.19.311
Linux Linux kernel>=4.20<5.4.273
Linux Linux kernel>=5.5<5.10.214
Linux Linux kernel>=5.11<5.15.153
Linux Linux kernel>=5.16<6.1.83
Linux Linux kernel>=6.2<6.6.23
Linux Linux kernel>=6.7<6.7.11
Linux Linux kernel>=6.8<6.8.2
Debian Debian Linux=10.0
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-1

Remediation

Patch Available

https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25

Patch Available

https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5

Patch Available

https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0

Patch Available

https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0

Patch Available

https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877

Patch Available

https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754

Patch Available

https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1

Patch Available

https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f

Patch Available

https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7

Event History

Apr 17, 2024
CVE Published
via MITRE·10:27 AM
Data Sourced
via MITRE·10:27 AM
Description
Data Sourced
via NVD·11:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·06:19 PM
DescriptionSeverityAffected Software
Jun 8, 2024
Data Sourced
via Launchpad·01:08 AM
Description
Apr 28, 2025
Data Sourced
via Ubuntu·02:21 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-26878?

CVE-2024-26878 has been classified with a medium severity due to a potential NULL pointer dereference in the Linux kernel.

2

How do I fix CVE-2024-26878?

To fix CVE-2024-26878, update your kernel to version 4.19.311, 5.4.273, 5.10.214, 5.15.153, 6.1.83, or later versions.

3

What versions of the Linux kernel are affected by CVE-2024-26878?

CVE-2024-26878 affects multiple versions of the Linux kernel prior to 4.19.311, 5.4.273, 5.10.214, 5.15.153, 6.1.83, and others.

4

Is CVE-2024-26878 specific to any Linux distributions?

CVE-2024-26878 primarily affects the Red Hat and Debian distributions of the Linux kernel.

5

What type of vulnerability is CVE-2024-26878?

CVE-2024-26878 is a programming vulnerability related to race conditions that can lead to undefined behavior and system crashes.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203