{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35827", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T12:19:12.347Z", "datePublished": "2024-05-17T13:41:09.193Z", "dateUpdated": "2024-12-19T08:55:58.511Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:55:58.511Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\n\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\n\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\n\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\n\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\n Bad: 100 + (int)-4 = 96 <-- no overflow\n\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/net.c"], "versions": [{"version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "868ec868616438df487b9e2baa5a99f8662cc47c", "status": "affected", "versionType": "git"}, {"version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "59a534690ecc3af72c6ab121aeac1237a4adae66", "status": "affected", "versionType": "git"}, {"version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "0c8c74bb59e7d77554016efc34c2d10376985e5e", "status": "affected", "versionType": "git"}, {"version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "b6563ad0d599110bd5cf8f56c47d279c3ed796fe", "status": "affected", "versionType": "git"}, {"version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "8ede3db5061bb1fe28e2c9683329aafa89d2b1b4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/net.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.83", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.23", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.11", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.2", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c"}, {"url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66"}, {"url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e"}, {"url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe"}, {"url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4"}], "title": "io_uring/net: fix overflow check in io_recvmsg_mshot_prep()", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35827", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-17T15:12:59.146861Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:28.876Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.467Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.467Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35827", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-17T15:12:59.146861Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.547Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "io_uring/net: fix overflow check in io_recvmsg_mshot_prep()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "868ec868616438df487b9e2baa5a99f8662cc47c", "versionType": "git"}, {"status": "affected", "version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "59a534690ecc3af72c6ab121aeac1237a4adae66", "versionType": "git"}, {"status": "affected", "version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "0c8c74bb59e7d77554016efc34c2d10376985e5e", "versionType": "git"}, {"status": "affected", "version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "b6563ad0d599110bd5cf8f56c47d279c3ed796fe", "versionType": "git"}, {"status": "affected", "version": "9b0fc3c054ff2eb13753104884f1045b5bb3a627", "lessThan": "8ede3db5061bb1fe28e2c9683329aafa89d2b1b4", "versionType": "git"}], "programFiles": ["io_uring/net.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.0"}, {"status": "unaffected", "version": "0", "lessThan": "6.0", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.83", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.23", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.11", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.2", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["io_uring/net.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c"}, {"url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66"}, {"url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e"}, {"url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe"}, {"url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\n\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\n\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\n\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\n\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\n Bad: 100 + (int)-4 = 96 <-- no overflow\n\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:55:58.511Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35827", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:55:58.511Z", "dateReserved": "2024-05-17T12:19:12.347Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-17T13:41:09.193Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A32E0BAB-1526-4AF3-8BD5-C68B497F3C47", "versionEndExcluding": "6.1.83", "versionStartIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E00814DC-0BA7-431A-9926-80FEB4A96C68", "versionEndExcluding": "6.6.23", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD", "versionEndExcluding": "6.7.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1", "versionEndExcluding": "6.8.2", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\n\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\n\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\n\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\n\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\n Bad: 100 + (int)-4 = 96 <-- no overflow\n\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring/net: corregida la comprobaci\u00f3n de desbordamiento en io_recvmsg_mshot_prep() La variable \"controllen\" es de tipo size_t (largo sin firmar). Convertirlo a int podr\u00eda provocar un desbordamiento de n\u00fameros enteros. La funci\u00f3n check_add_overflow() considera el tipo de destino que es de tipo int. Si sumamos dos valores positivos y el resultado no cabe en un n\u00famero entero, entonces se cuenta como un desbordamiento. Sin embargo, si convertimos \"controllen\" en un int y se vuelve negativo, entonces los valores negativos *pueden* caber en un tipo int para que no haya desbordamiento. Bueno: 100 + (unsigned long)-4 = 96 &lt;-- overflow Malo: 100 + (int)-4 = 96 &lt;-- no overflow Tambi\u00e9n elimin\u00e9 el cast de sizeof(). Eso no es un error, pero el cast es innecesario."}], "id": "CVE-2024-35827", "lastModified": "2025-02-03T16:20:18.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-17T14:15:18.670", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: io_uring/net: fix overflow check in io_recvmsg_mshot_prep()", "id": "2281183", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281183"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\nBad: 100 + (int)-4 = 96 <-- no overflow\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary."], "name": "CVE-2024-35827", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35827\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35827\nhttps://lore.kernel.org/linux-cve-announce/2024051741-CVE-2024-35827-822c@gregkh/T"], "threat_severity": "Low"}