{"api_version":"1","generated_at":"2026-06-01T11:01:32+00:00","cve":"CVE-2024-26859","urls":{"html":"https://cve.report/CVE-2024-26859","api":"https://cve.report/api/cve/CVE-2024-26859.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-26859","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-26859"},"summary":{"title":"net/bnx2x: Prevent access to a freed page in page_pool","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing.","state":"PUBLISHED","assigner":"Linux","published_at":"2024-04-17 11:15:08","updated_at":"2026-05-12 12:16:21"},"problem_types":["CWE-362"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","name":"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c","name":"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","name":"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699","name":"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec","name":"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4","name":"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9","name":"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68","name":"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d","name":"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-26859","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26859","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 7bcc090c81116c66936a7415f2c6b1483a4bcfd9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 4f37d3a7e004bbf560c21441ca9c022168017ec4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 8eebff95ce9558be66a36aa7cfb43223f3ab4699 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 cf7d8cba639ae792a42c2a137b495eac262ac36c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 c51f8b6930db3f259b8820b589f2459d2df3fc68 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 44f9f1abb0ecc43023225ab9539167facbabf0ec git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4cace675d687ebd2d813e90af80ff87ee85202f9 d27e2da94a42655861ca4baea30c8cd65546f25d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.311 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.273 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.214 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.153 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.83 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.23 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7.11 6.7.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.2 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"26859","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-26859","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-04-23T14:02:31.556726Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-07-05T17:21:09.772Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-02T00:14:13.698Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:49:36.248Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"7bcc090c81116c66936a7415f2c6b1483a4bcfd9","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"4f37d3a7e004bbf560c21441ca9c022168017ec4","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"8eebff95ce9558be66a36aa7cfb43223f3ab4699","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"cf7d8cba639ae792a42c2a137b495eac262ac36c","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"c51f8b6930db3f259b8820b589f2459d2df3fc68","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"44f9f1abb0ecc43023225ab9539167facbabf0ec","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"},{"lessThan":"d27e2da94a42655861ca4baea30c8cd65546f25d","status":"affected","version":"4cace675d687ebd2d813e90af80ff87ee85202f9","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.2"},{"lessThan":"4.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.311","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.273","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.214","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.153","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.83","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.23","versionType":"semver"},{"lessThanOrEqual":"6.7.*","status":"unaffected","version":"6.7.11","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.9","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.311","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.273","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.214","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.153","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.83","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.23","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.7.11","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.2","versionStartIncluding":"4.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9","versionStartIncluding":"4.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing."}],"providerMetadata":{"dateUpdated":"2026-05-11T20:05:30.893Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9"},{"url":"https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4"},{"url":"https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699"},{"url":"https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598"},{"url":"https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c"},{"url":"https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb"},{"url":"https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68"},{"url":"https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec"},{"url":"https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d"}],"title":"net/bnx2x: Prevent access to a freed page in page_pool","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-26859","datePublished":"2024-04-17T10:27:23.709Z","dateReserved":"2024-02-19T14:20:24.183Z","dateUpdated":"2026-05-12T11:49:36.248Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-04-17 11:15:08","lastModifiedDate":"2026-05-12 12:16:21","problem_types":["CWE-362"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"4.19.311","matchCriteriaId":"AD980215-9885-4AEF-8844-E63A850472EB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.273","matchCriteriaId":"620FD8B7-BF03-43E0-951A-0A58461D4C55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.214","matchCriteriaId":"65987874-467B-4D3B-91D6-68A129B34FB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.153","matchCriteriaId":"ACB69438-845D-4E3C-B114-3140611F9C0B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.83","matchCriteriaId":"121A07F6-F505-4C47-86BF-9BB6CC7B6C19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.23","matchCriteriaId":"E00814DC-0BA7-431A-9926-80FEB4A96C68"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.11","matchCriteriaId":"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.2","matchCriteriaId":"543A75FF-25B8-4046-A514-1EA8EDD87AB1"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"26859","Ordinal":"1","Title":"net/bnx2x: Prevent access to a freed page in page_pool","CVE":"CVE-2024-26859","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"26859","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799  static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801  {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803     struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n    EEH: Beginning: 'slot_reset'\n    PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n    bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n    bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n    bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n    Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n    BUG: Kernel NULL pointer dereference on read at 0x00000000\n    Faulting instruction address: 0xc0080000025065fc\n    Oops: Kernel access of bad area, sig: 11 [#1]\n    .....\n    Call Trace:\n    [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n    [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n    [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n    [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n    [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n    [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n    [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing.","Type":"Description","Title":"net/bnx2x: Prevent access to a freed page in page_pool"}]}}}