PT-2024-7821 · Linux+9 · Linux Kernel+9
Alan Stern
·
Published
2024-04-11
·
Updated
2026-02-21
·
CVE-2024-26993
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.37
Description
The issue is related to a reference leak in the
sysfs break active protection() routine. When the call to kernfs find and get() fails, kn will be NULL, and the companion sysfs unbreak active protection() routine won't get called, resulting in an unreleased reference to kobj. This leak can be fixed by adding an explicit kobject put() call when kn is NULL. The vulnerability may allow an attacker to access confidential information.Recommendations
To resolve the issue, update to Linux kernel version 6.6.37 or later. As a temporary workaround, consider restricting access to the
sysfs break active protection() function until a patch is available.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu