{"id":"CVE-2024-26898","summary":"aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts","details":"In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\n\nThis patch is against CVE-2023-6270. The description of cve is:\n\n  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n  `struct net_device`, and a use-after-free can be triggered by racing\n  between the free on the struct and the access through the `skbtxq`\n  global queue. This could lead to a denial of service condition or\n  potential code execution.\n\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()-\u003edev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\n\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().","modified":"2026-04-02T10:06:21.089686Z","published":"2024-04-17T10:27:48.466Z","related":["SUSE-SU-2024:1641-1","SUSE-SU-2024:1642-1","SUSE-SU-2024:1643-1","SUSE-SU-2024:1644-1","SUSE-SU-2024:1645-1","SUSE-SU-2024:1646-1","SUSE-SU-2024:1647-1","SUSE-SU-2024:1650-1","SUSE-SU-2024:1659-1","SUSE-SU-2024:1663-1","SUSE-SU-2024:1669-1","SUSE-SU-2024:1870-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:4038-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26898.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/079cba4f4e307c69878226fdf5228c20aa1c969c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a54aa506b3b2f31496731039e49778f54eee881"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74ca3ef68d2f449bc848c0a814cefc487bf755fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a16fbb80064634b254520a46395e36b87ca4731e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ad80c34944d7175fa1f5c7a55066020002921a99"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eb48680b0255a9e8a9bdc93d6a55b11c31262e62"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f98364e926626c678fb4b9004b75cacf92ff0662"},{"type":"WEB","url":"https://git.kernel.org/stable/c/faf0b4c5e00bb680e8e43ac936df24d3f48c8e65"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26898.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26898"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7562f876cd93800f2f8c89445f2a563590b24e09"},{"fixed":"ad80c34944d7175fa1f5c7a55066020002921a99"},{"fixed":"1a54aa506b3b2f31496731039e49778f54eee881"},{"fixed":"faf0b4c5e00bb680e8e43ac936df24d3f48c8e65"},{"fixed":"7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4"},{"fixed":"74ca3ef68d2f449bc848c0a814cefc487bf755fa"},{"fixed":"eb48680b0255a9e8a9bdc93d6a55b11c31262e62"},{"fixed":"079cba4f4e307c69878226fdf5228c20aa1c969c"},{"fixed":"a16fbb80064634b254520a46395e36b87ca4731e"},{"fixed":"f98364e926626c678fb4b9004b75cacf92ff0662"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26898.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}