[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-26656":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":21,"related":22,"reserved_at":9,"published_at":23,"modified_at":24,"state":9,"summary":25,"references_raw":27,"kevs":34,"epss":9,"epss_history":35,"metrics":36,"affected":43},"DEBIAN-CVE-2024-26656","In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: fix use-after-free bug  The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung \u003Cjoonkyoj@yonsei.ac.kr>. For example the following code:  static void Syzkaller1(int fd) { \tstruct drm_amdgpu_gem_userptr arg; \tint ret;  \targ.addr = 0xffffffffffff0000; \targ.size = 0x80000000; /*2 Gb*/ \targ.flags = 0x7; \tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg); }  Due to the address and size are not valid there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert-> check_shl_overflow, but we even the amdgpu_hmm_register failure we still call amdgpu_hmm_unregister into  amdgpu_gem_object_free which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled:  [  +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [  +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340 [  +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff \u003C0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80 [  +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246 [  +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b [  +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260 [  +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25 [  +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00 [  +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260 [  +0.000011] FS:  00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000 [  +0.000012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0 [  +0.000010] Call Trace: [  +0.000006]  \u003CTASK> [  +0.000007]  ? show_regs+0x6a/0x80 [  +0.000018]  ? __warn+0xa5/0x1b0 [  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340 [  +0.000018]  ? report_bug+0x24a/0x290 [  +0.000022]  ? handle_bug+0x46/0x90 [  +0.000015]  ? exc_invalid_op+0x19/0x50 [  +0.000016]  ? asm_exc_invalid_op+0x1b/0x20 [  +0.000017]  ? kasan_save_stack+0x26/0x50 [  +0.000017]  ? mmu_interval_notifier_remove+0x23b/0x340 [  +0.000019]  ? mmu_interval_notifier_remove+0x327/0x340 [  +0.000019]  ? mmu_interval_notifier_remove+0x23b/0x340 [  +0.000020]  ? __pfx_mmu_interval_notifier_remove+0x10/0x10 [  +0.000017]  ? kasan_save_alloc_info+0x1e/0x30 [  +0.000018]  ? srso_return_thunk+0x5/0x5f [  +0.000014]  ? __kasan_kmalloc+0xb1/0xc0 [  +0.000018]  ? srso_return_thunk+0x5/0x5f [  +0.000013]  ? __kasan_check_read+0x11/0x20 [  +0.000020]  amdgpu_hmm_unregister+0x34/0x50 [amdgpu] [  +0.004695]  amdgpu_gem_object_free+0x66/0xa0 [amdgpu] [  +0.004534]  ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu] [  +0.004291]  ? do_syscall_64+0x5f/0xe0 [  +0.000023]  ? srso_return_thunk+0x5/0x5f [  +0.000017]  drm_gem_object_free+0x3b/0x50 [drm] [  +0.000489]  amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu] [  +0.004295]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [  +0.004270]  ? srso_return_thunk+0x5/0x5f [  +0.000014]  ? __this_cpu_preempt_check+0x13/0x20 [  +0.000015]  ? srso_return_thunk+0x5/0x5f [  +0.000013]  ? sysvec_apic_timer_interrupt+0x57/0xc0 [  +0.000020]  ? srso_return_thunk+0x5/0x5f [  +0.000014]  ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [  +0.000022]  ? drm_ioctl_kernel+0x17b/0x1f0 [drm] [  +0.000496]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [  +0.004272]  ? drm_ioctl_kernel+0x190/0x1f0 [drm] [  +0.000492]  drm_ioctl_kernel+0x140/0x1f0 [drm] [  +0.000497]  ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [  +0.004297]  ? __pfx_drm_ioctl_kernel+0x10/0x10 [d ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2024-26656",[17,19],{"_key":18},"DLA-4193-1",{"_key":20},"DSA-5900-1",[],[],"2024-04-02T07:15:42.760Z","2026-04-28T20:27:38.302565Z",{"cisa_kev":26,"cisa_ransomware":26,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[28],{"url":29,"sources":30,"tags":32},"https://security-tracker.debian.org/tracker/CVE-2024-26656",[31],"osv_debian",[33],"Advisory",[],[],[37],{"source":31,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":38,"cvss_v4_0":9},{"baseScore":39,"baseSeverity":9,"vectorString":40,"impactScore":41,"exploitabilityScore":42},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[44,62],{"ecosystem":45,"name":46,"vendor":47,"product":46,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":46,"source":9,"versions":49},"Debian","linux","debian","deb",[50,54,58,61],{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":55,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt6_1_133_1","6.1.133-1","excluding",{"version":59,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_7_12_1","6.7.12-1",{"version":59,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},{"ecosystem":45,"name":63,"vendor":47,"product":63,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":63,"source":9,"versions":64},"linux-6.1",[65],{"version":66,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":67,"version_end_type":57,"fixed_in":9},"lt6_1_137_1~deb11u1","6.1.137-1~deb11u1"]