Improper locking in Linux kernel

Vulnerability identifier: #VU92037

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26907

CWE-ID: CWE-667

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to improper locking within the set_eth_seg() function in drivers/infiniband/hw/mlx5/wr.c. A local user can execute arbitrary code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/d27c48dc309da72c3b46351a1205d89687272baa
https://git.kernel.org/stable/c/60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d
https://git.kernel.org/stable/c/cad82f1671e41094acd3b9a60cd27d67a3c64a21
https://git.kernel.org/stable/c/9a624a5f95733bac4648ecadb320ca83aa9c08fd
https://git.kernel.org/stable/c/185fa07000e0a81d54cf8c05414cebff14469a5c
https://git.kernel.org/stable/c/4d5e86a56615cc387d21c629f9af8fb0e958d350

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

#VU92037 Improper locking in Linux kernel - CVE-2024-26907

Q & A

Latest bulletins with this vulnerability