{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26694", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.156Z", "datePublished": "2024-04-03T14:54:55.138Z", "dateUpdated": "2025-05-04T08:54:14.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:54:14.134Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "versions": [{"version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "lessThan": "ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "status": "affected", "versionType": "git"}, {"version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "lessThan": "d24eb9a27bea8fe5237fa71be274391d9d51eff2", "status": "affected", "versionType": "git"}, {"version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "lessThan": "353d321f63f7dbfc9ef58498cc732c9fe886a596", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.18", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.6", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.7.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}], "title": "wifi: iwlwifi: fix double-free bug", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-17T19:29:52.861166Z", "id": "CVE-2024-26694", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T19:30:17.789Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.834Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:12.834Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26694", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-17T19:29:52.861166Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T19:29:57.977Z"}}], "cna": {"title": "wifi: iwlwifi: fix double-free bug", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "lessThan": "ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad", "versionType": "git"}, {"status": "affected", "version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "lessThan": "d24eb9a27bea8fe5237fa71be274391d9d51eff2", "versionType": "git"}, {"status": "affected", "version": "5e31b3df86ec6fbb925eee77fe2c450099c61dff", "lessThan": "353d321f63f7dbfc9ef58498cc732c9fe886a596", "versionType": "git"}], "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.4"}, {"status": "unaffected", "version": "0", "lessThan": "6.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.18", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.6", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/wireless/intel/iwlwifi/iwl-drv.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}, {"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.18", "versionStartIncluding": "6.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.6", "versionStartIncluding": "6.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "6.4"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:54:14.134Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26694", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:54:14.134Z", "dateReserved": "2024-02-19T14:20:24.156Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-03T14:54:55.138Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "36E1DD5F-520C-45E0-A857-81C3B5CB12FE", "versionEndExcluding": "6.6.18", "versionStartIncluding": "6.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6D6A5C8-7308-42A9-8A72-ABF3DEA4BB82", "versionEndExcluding": "6.7.6", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*", "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*", "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: wifi: iwlwifi: corrige el error de doble liberaci\u00f3n El almacenamiento de los datos de registro de PC TLV no se realiz\u00f3 como el resto del almacenamiento en el \u00e1rea drv->fw, que se borra en el fin de la desasignaci\u00f3n. Por lo tanto, la liberaci\u00f3n tambi\u00e9n debe realizarse de manera diferente, anul\u00e1ndolo expl\u00edcitamente despu\u00e9s de la liberaci\u00f3n, ya que de lo contrario hay un desagradable error de doble liberaci\u00f3n aqu\u00ed si un archivo no se carga despu\u00e9s de haber sido analizado y obtenemos otra liberaci\u00f3n m\u00e1s tarde (por ejemplo porque no existe ning\u00fan otro archivo). Solucione el problema agregando la asignaci\u00f3n NULL que falta."}], "id": "CVE-2024-26694", "lastModified": "2025-01-07T20:53:53.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-03T15:15:52.717", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3627", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-05T00:00:00Z"}, {"advisory": "RHSA-2024:3618", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.5.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-05T00:00:00Z"}], "bugzilla": {"description": "kernel: wifi: iwlwifi: fix double-free bug", "id": "2273092", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273092"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-415", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: iwlwifi: fix double-free bug\nThe storage for the TLV PC register data wasn't done like all\nthe other storage in the drv->fw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL'ing it out after the free, since\notherwise there's a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment.", "A vulnerability was found in the Linux kernel's iwlwifi driver, where the TLV PC register data being freed is not properly marked as NULL afterwards, resulting in a double-free issue. This could lead to memory corruption or crashes."], "name": "CVE-2024-26694", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26694\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26694\nhttps://lore.kernel.org/linux-cve-announce/2024040337-CVE-2024-26694-b216@gregkh/T"], "threat_severity": "Moderate"}