CVE-2024-26654 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below: (Thread 1) | (Thread 2) snd_aicapcm_pcm_close() | ... | run_spu_dma() //worker | mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker ... | dreamcastcard->channel-> //USE In order to mitigate this bug and other possible corner cases, call mod_timer() conditionally in run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc1::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457
https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04
https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2
https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901
https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5
https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046
https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845
https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3
https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lore.kernel.org/linux-cve-announce/2024040142-CVE-2024-26654-aa6c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26654
https://www.cve.org/CVERecord?id=CVE-2024-26654

History

Mon, 03 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux Linux Linux linux Kernel
CPEs		cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.9:rc1::::::
Vendors & Products		Debian Debian debian Linux Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Tue, 05 Nov 2024 10:45:00 +0000

Type	Values Removed	Values Added
References	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Tue, 05 Nov 2024 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-01T08:35:19.763Z

Updated: 2025-05-04T08:53:11.500Z

Reserved: 2024-02-19T14:20:24.144Z

Link: CVE-2024-26654

Vulnrichment

Updated: 2024-08-02T00:07:19.846Z

NVD

Status : Analyzed

Published: 2024-04-01T09:15:51.063

Modified: 2025-02-03T14:32:27.763

Link: CVE-2024-26654

Redhat

Severity : Moderate

Publid Date: 2024-04-01T00:00:00Z

Links: CVE-2024-26654 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26654", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.144Z", "datePublished": "2024-04-01T08:35:19.763Z", "dateUpdated": "2025-05-04T08:53:11.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:53:11.500Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/sh/aica.c"], "versions": [{"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "4206ad65a0ee76920041a755bd3c17c6ba59bba2", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "aa39e6878f61f50892ee2dd9d2176f72020be845", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "8c990221681688da34295d6d76cc2f5b963e83f5", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "9d66ae0e7bb78b54e1e0525456c6b54e1d132046", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "61d4787692c1fccdc268ffa7a891f9c149f50901", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "3c907bf56905de7d27b329afaf59c2fb35d17b04", "status": "affected", "versionType": "git"}, {"version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "051e0840ffa8ab25554d6b14b62c9ab9e4901457", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/sh/aica.c"], "versions": [{"version": "2.6.23", "status": "affected"}, {"version": "0", "lessThan": "2.6.23", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.312", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.274", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.84", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.24", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.12", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.3", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "4.19.312"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.4.274"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.10.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "5.15.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.1.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.6.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.7.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.8.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.23", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2"}, {"url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2"}, {"url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845"}, {"url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5"}, {"url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046"}, {"url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901"}, {"url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3"}, {"url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04"}, {"url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457"}], "title": "ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.846Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:59.432754Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:42.392Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.846Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:53:59.432754Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.261Z"}}], "cna": {"title": "ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "4206ad65a0ee76920041a755bd3c17c6ba59bba2", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "aa39e6878f61f50892ee2dd9d2176f72020be845", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "8c990221681688da34295d6d76cc2f5b963e83f5", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "9d66ae0e7bb78b54e1e0525456c6b54e1d132046", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "61d4787692c1fccdc268ffa7a891f9c149f50901", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "3c907bf56905de7d27b329afaf59c2fb35d17b04", "versionType": "git"}, {"status": "affected", "version": "198de43d758ca2700e2b52b49c0b189b4931466c", "lessThan": "051e0840ffa8ab25554d6b14b62c9ab9e4901457", "versionType": "git"}], "programFiles": ["sound/sh/aica.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.23"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.23", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.312", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.274", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.215", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.154", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.84", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.24", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.12", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.3", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["sound/sh/aica.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2"}, {"url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2"}, {"url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845"}, {"url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5"}, {"url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046"}, {"url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901"}, {"url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3"}, {"url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04"}, {"url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.312", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.274", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.215", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.154", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.84", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.24", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.12", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.3", "versionStartIncluding": "2.6.23"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "2.6.23"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:53:11.500Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26654", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:53:11.500Z", "dateReserved": "2024-02-19T14:20:24.144Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-01T08:35:19.763Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FCC9944-2B27-4800-9B5A-6C9508FEAA0D", "versionEndExcluding": "4.19.312", "versionStartIncluding": "2.6.23", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F45A0F3C-C16D-49C4-86D6-D021C3D4B834", "versionEndExcluding": "5.4.274", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CD5894E-58E9-4B4A-B0F4-3E6BC134B8F5", "versionEndExcluding": "5.10.215", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "834D9BD5-42A6-4D74-979E-4D6D93F630FD", "versionEndExcluding": "6.1.84", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8018C1D0-0A5F-48D0-BC72-A2B33FDDA693", "versionEndExcluding": "6.6.24", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53", "versionEndExcluding": "6.7.12", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C59BBC3-6495-4A77-9C82-55EC7CDF5E02", "versionEndExcluding": "6.8.3", "versionStartIncluding": "6.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: sh: aica: reordenar operaciones de limpieza para evitar errores UAF. El dreamcastcard->timer podr\u00eda programar el spu_dma_work y el spu_dma_work tambi\u00e9n podr\u00eda armar el dreamcastcard->timer. Cuando se cierre snd_pcm_substream, se desasignar\u00e1 aica_channel. Pero a\u00fan se podr\u00eda eliminar la referencia en el hilo del trabajador. La raz\u00f3n es que del_timer() regresar\u00e1 directamente independientemente de si el controlador del temporizador se est\u00e1 ejecutando o no y el trabajador podr\u00eda reprogramarse en el controlador del temporizador. Como resultado, se producir\u00e1 el error UAF. La situaci\u00f3n picante se muestra a continuaci\u00f3n: (Thread 1) | (Thread 2) snd_aicapcm_pcm_close() | ... | run_spu_dma() //worker | mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker ... | dreamcastcard->channel-> //USE Para mitigar este error y otros posibles casos extremos, llame a mod_timer() condicionalmente en run_spu_dma(), luego implemente la operaci\u00f3n PCM sync_stop para cancelar tanto el temporizador como el trabajador. La operaci\u00f3n sync_stop se llamar\u00e1 desde el n\u00facleo PCM de forma adecuada cuando sea necesario."}], "id": "CVE-2024-26654", "lastModified": "2025-02-03T14:32:27.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-01T09:15:51.063", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs", "id": "2272446", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272446"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n(Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n... | run_spu_dma() //worker\n| mod_timer()\nflush_work() |\ndel_timer() | aica_period_elapsed() //timer\nkfree(dreamcastcard->channel) | schedule_work()\n| run_spu_dma() //worker\n... | dreamcastcard->channel-> //USE\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", "A vulnerability was found in the ALSA sh driver of Linux Kernel, when the snd_pcm_substream closes and deallocates aica_channel, which can still be accessed by the spu_dma_work scheduled by dreamcastcard->timer and del_timer() returns directly, allowing the worker thread to be rescheduled during timer handling potentially leads to an Use-After-Free."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-26654", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26654\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26654\nhttps://lore.kernel.org/linux-cve-announce/2024040142-CVE-2024-26654-aa6c@gregkh/T"], "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object