CVE-2024-26807

Advisory lineage Upstream: 0 Downstream: 11

Downstream

DEBIAN-CVE-2024-26807 DLA-4271-1 DSA-5925-1 SUSE-SU-2024:1490-1 SUSE-SU-2024:1659-1 SUSE-SU-2024:1663-1

Modified

Published: 04 Apr 2024, 08:20

Last modified:23 May 2026, 15:38

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

v3.1 (nvd)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Apr 2024, 08:20

Published

Vulnerability first disclosed

23 May 2026, 15:38

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: Both cadence-quadspi ->runtime_suspend() and ->runtime_resume() implementations start with: struct cqspi_st *cqspi = dev_get_drvdata(dev); struct spi_controller *host = dev_get_drvdata(dev); This obviously cannot be correct, unless "struct cqspi_st" is the first member of " struct spi_controller", or the other way around, but it is not the case. "struct spi_controller" is allocated by devm_spi_alloc_host(), which allocates an extra amount of memory for private data, used to store "struct cqspi_st". The ->probe() function of the cadence-quadspi driver then sets the device drvdata to store the address of the "struct cqspi_st" structure. Therefore: struct cqspi_st *cqspi = dev_get_drvdata(dev); is correct, but: struct spi_controller *host = dev_get_drvdata(dev); is not, as it makes "host" point not to a "struct spi_controller" but to the same "struct cqspi_st" structure as above. This obviously leads to bad things (memory corruption, kernel crashes) directly during ->probe(), as ->probe() enables the device using PM runtime, leading the ->runtime_resume() hook being called, which in turns calls spi_controller_resume() with the wrong pointer. This has at least been reported [0] to cause a kernel crash, but the exact behavior will depend on the memory contents. [0] https://lore.kernel.org/all/20240226121803.5a7r5wkpbbowcxgx@dhruva/ This issue potentially affects all platforms that are currently using the cadence-quadspi driver.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 3%

Techniques & Countermeasures

CWE-787•Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

linux•linux
≥ 79acf7fb856eade9c3d0cf00fd34a04bf5c43a1c, < 2c914aac9522f6e93822c18dff233d3e92399c81 | ≥ 2087e85bb66ee3652dafe732bb9b9b896229eafc, < 03f1573c9587029730ca68503f5062105b122f61 | ≥ 2087e85bb66ee3652dafe732bb9b9b896229eafc, < 34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03 | ≥ 2087e85bb66ee3652dafe732bb9b9b896229eafc, < 32ce3bb57b6b402de2aec1012511e7ac4e7449dc | e3f9fc9a4f1499cc9e1bad4482d377494e367b3d | 6716203844bc8489af5e5564f0fa31e0c094a7ff | b24f1ecc8fe2ceefc14af02edb1744c246d87bf7 | d453f25faf681799d636fe9d6899ad91c45aa11e | 18cb554e9da81bc4eca653c17a0d65e8b5835c09 | 1368dbc0a432acf9fc0dcb23bfe52d32ca4c09ab | ≥ 6.1.28, < 6.1.140 | ≥ 4.19.283, < 4.20 | ≥ 5.4.243, < 5.5 | ≥ 5.10.180, < 5.11 | ≥ 5.15.111, < 5.16 | ≥ 6.2.15, < 6.3 | ≥ 6.3.2, < 6.4 | 6.4
linux•linux_kernel
≥ 6.4, < 6.6.21 | ≥ 6.7, < 6.7.9 | 4.19.283 | 5.4.243 | 5.10.180 | 5.15.111 | 6.1.28 | 6.2.15 | 6.3.2 | 6.8:rc1 | 6.8:rc2 | 6.8:rc3 | 6.8:rc4 | 6.8:rc5 | 6.8:rc6