{"id":"AZL-40481","summary":"CVE-2024-26961 affecting package hyperv-daemons for versions less than 5.15.158.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \u003cTASK\u003e\n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n  comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n  hex dump (first 32 bytes):\n    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......\".......\n    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................\n  backtrace:\n    [\u003cffffffff81dcfa62\u003e] __kmem_cache_alloc_node+0x1e2/0x2d0\n    [\u003cffffffff81c43865\u003e] kmalloc_trace+0x25/0xc0\n    [\u003cffffffff88968b09\u003e] mac802154_llsec_key_add+0xac9/0xcf0\n    [\u003cffffffff8896e41a\u003e] ieee802154_add_llsec_key+0x5a/0x80\n    [\u003cffffffff8892adc6\u003e] nl802154_add_llsec_key+0x426/0x5b0\n    [\u003cffffffff86ff293e\u003e] genl_family_rcv_msg_doit+0x1fe/0x2f0\n    [\u003cffffffff86ff46d1\u003e] genl_rcv_msg+0x531/0x7d0\n    [\u003cffffffff86fee7a9\u003e] netlink_rcv_skb+0x169/0x440\n    [\u003cffffffff86ff1d88\u003e] genl_rcv+0x28/0x40\n    [\u003cffffffff86fec15c\u003e] netlink_unicast+0x53c/0x820\n    [\u003cffffffff86fecd8b\u003e] netlink_sendmsg+0x93b/0xe60\n    [\u003cffffffff86b91b35\u003e] ____sys_sendmsg+0xac5/0xca0\n    [\u003cffffffff86b9c3dd\u003e] ___sys_sendmsg+0x11d/0x1c0\n    [\u003cffffffff86b9c65a\u003e] __sys_sendmsg+0xfa/0x1d0\n    [\u003cffffffff88eadbf5\u003e] do_syscall_64+0x45/0xf0\n    [\u003cffffffff890000ea\u003e] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).","modified":"2026-04-01T05:14:02.271778Z","published":"2024-05-01T06:15:12Z","upstream":["CVE-2024-26961"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26961"}],"affected":[{"package":{"name":"hyperv-daemons","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/hyperv-daemons"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.158.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40481.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}