{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-26782",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\n\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   <IRQ>\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   </IRQ>\n   <TASK>\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   </TASK>\n\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\n\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\n\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "cf7da0d66cc1",
                                            "version_value": "f74362a00422"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "5.6",
                                                        "status": "affected"
                                                    },
                                                    {
                                                        "version": "0",
                                                        "lessThan": "5.6",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "5.10.212",
                                                        "lessThanOrEqual": "5.10.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "5.15.151",
                                                        "lessThanOrEqual": "5.15.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.1.81",
                                                        "lessThanOrEqual": "6.1.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.6.21",
                                                        "lessThanOrEqual": "6.6.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.7.9",
                                                        "lessThanOrEqual": "6.7.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.8",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e"
            },
            {
                "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e"
            },
            {
                "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85"
            },
            {
                "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582"
            },
            {
                "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc"
            },
            {
                "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c"
            },
            {
                "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html",
                "refsource": "MISC",
                "name": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
            }
        ]
    },
    "generator": {
        "engine": "bippy-a5840b7849dd"
    }
}