Linux Kernel Code Execution Vulnerability - 20240226003

Overview

In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb.

What is vulnerable?

Product(s) Affected
CVE-2024-26582 Linux Version 6.0

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

Additional References

• https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96 
• https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5 
• https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df 
• https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f