Description

In the Linux kernel, the following vulnerability has been resolved: l2tp: prevent possible tunnel refcount underflow When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped. Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel. If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case.

INFO

Published Date :

2024-10-21T18:01:59.668Z

Last Modified :

2026-01-05T10:54:33.785Z

Source :

Linux
AFFECTED PRODUCTS

The following products are affected by CVE-2024-49940 vulnerability.

Vendors Products
Linux
  • Linux Kernel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-49940.

URL Resource
https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950 cve-icon cve-icon
https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02 cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2024102127-CVE-2024-49940-1c88@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-49940 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-49940 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact