{"api_version":"1","generated_at":"2026-05-13T07:41:04+00:00","cve":"CVE-2024-26960","urls":{"html":"https://cve.report/CVE-2024-26960","api":"https://cve.report/api/cve/CVE-2024-26960.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-26960","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-26960"},"summary":{"title":"mm: swap: fix race between free_swap_and_cache() and swapoff()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----","state":"PUBLISHED","assigner":"Linux","published_at":"2024-05-01 06:15:12","updated_at":"2026-05-12 12:16:28"},"problem_types":["CWE-362","CWE-362 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e","name":"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","name":"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e","name":"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","name":"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","name":"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b","name":"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","name":"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-26960","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26960","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e d85c11c97ecf92d47a4b29e3faca714dc1f18d0d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 2da5568ee222ce0541bfe446a07998f92ed1643e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 1ede7f1d7eed1738d1b9333fd1e152ccb450b86a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 363d17e7f7907c8e27a9e86968af0eaa2301787b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 82b1c07a0af603e3c47b906c8e991dc96f01688e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.11","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.11 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.215 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.154 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.84 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.24 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7.12 6.7.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.3 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c d85c11c97ecf custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c 2da5568ee222 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c 1ede7f1d7eed custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c 0f98f6d2fb5f custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c 3ce4c4c653e4 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c 363d17e7f790 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 7c00bafee87c 82b1c07a0af6 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 5.10.215 5.11 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 6.1.84 6.2 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 6.6.24 6.7 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 6.8.3 6.9 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 6.9","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 4.11 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"affected 4.11","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 5.15.154 5.16 custom","platforms":[]},{"source":"ADP","vendor":"linux","product":"linux_kernel","version":"unaffected 6.7.12 6.8 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"26960","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"d85c11c97ecf","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"2da5568ee222","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"1ede7f1d7eed","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"0f98f6d2fb5f","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"3ce4c4c653e4","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"363d17e7f790","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"82b1c07a0af6","status":"affected","version":"7c00bafee87c","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"5.11","status":"unaffected","version":"5.10.215","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"6.2","status":"unaffected","version":"6.1.84","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"6.7","status":"unaffected","version":"6.6.24","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"6.9","status":"unaffected","version":"6.8.3","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"status":"unaffected","version":"6.9"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"4.11","status":"unaffected","version":"0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:4.11:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"status":"affected","version":"4.11"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"5.16","status":"unaffected","version":"5.15.154","versionType":"custom"}]},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"linux_kernel","vendor":"linux","versions":[{"lessThan":"6.8","status":"unaffected","version":"6.7.12","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2024-26960","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-02-05T21:09:23.358079Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-362","description":"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-02-05T21:09:44.704Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-02T00:21:06.048Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:50:50.097Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["mm/swapfile.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d85c11c97ecf92d47a4b29e3faca714dc1f18d0d","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"},{"lessThan":"2da5568ee222ce0541bfe446a07998f92ed1643e","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"},{"lessThan":"1ede7f1d7eed1738d1b9333fd1e152ccb450b86a","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"},{"lessThan":"0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"},{"lessThan":"3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"},{"lessThan":"363d17e7f7907c8e27a9e86968af0eaa2301787b","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"},{"lessThan":"82b1c07a0af603e3c47b906c8e991dc96f01688e","status":"affected","version":"7c00bafee87c7bac7ed9eced7c161f8e5332cb4e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["mm/swapfile.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.11"},{"lessThan":"4.11","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.215","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.154","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.84","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.24","versionType":"semver"},{"lessThanOrEqual":"6.7.*","status":"unaffected","version":"6.7.12","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.9","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.215","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.154","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.84","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.24","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.7.12","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.3","versionStartIncluding":"4.11","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9","versionStartIncluding":"4.11","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:07:42.928Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d"},{"url":"https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e"},{"url":"https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a"},{"url":"https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a"},{"url":"https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39"},{"url":"https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b"},{"url":"https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e"}],"title":"mm: swap: fix race between free_swap_and_cache() and swapoff()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-26960","datePublished":"2024-05-01T05:19:12.112Z","dateReserved":"2024-02-19T14:20:24.201Z","dateUpdated":"2026-05-12T11:50:50.097Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-05-01 06:15:12","lastModifiedDate":"2026-05-12 12:16:28","problem_types":["CWE-362","CWE-362 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.10.215","matchCriteriaId":"C0958525-A5AB-4D52-BD1F-3138F23DCF13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.154","matchCriteriaId":"577E212E-7E95-4A71-9B5C-F1D1A3AFFF46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.84","matchCriteriaId":"834D9BD5-42A6-4D74-979E-4D6D93F630FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.24","matchCriteriaId":"8018C1D0-0A5F-48D0-BC72-A2B33FDDA693"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.12","matchCriteriaId":"6BE9771A-BAFD-4624-95F9-58D536540C53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.3","matchCriteriaId":"4C59BBC3-6495-4A77-9C82-55EC7CDF5E02"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"26960","Ordinal":"1","Title":"mm: swap: fix race between free_swap_and_cache() and swapoff()","CVE":"CVE-2024-26960","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"26960","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread.  This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case.  But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff().  There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free.  This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff.  So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----","Type":"Description","Title":"mm: swap: fix race between free_swap_and_cache() and swapoff()"}]}}}