[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-26766":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":23,"related":24,"reserved_at":9,"published_at":25,"modified_at":26,"state":9,"summary":27,"references_raw":29,"kevs":36,"epss":9,"epss_history":37,"metrics":38,"affected":45},"DEBIAN-CVE-2024-26766","In the Linux kernel, the following vulnerability has been resolved:  IB/hfi1: Fix sdma.h tx->num_descs off-by-one error  Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call.  [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990]  \u003CTASK> [ 1081.021929]  hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364]  hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633]  hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001]  ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978]  dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347]  __sys_sendmsg+0x59/0xa0  crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq {   txreq = {     list = {       next = 0xffff9cfeba229f00,       prev = 0xffff9cfeba229f00     },     descp = 0xffff9cfeba229f40,     coalesce_buf = 0x0,     wait = 0xffff9cfea4e69a48,     complete = 0xffffffffc0fe0760 \u003Chfi1_ipoib_sdma_complete>,     packet_len = 0x46d,     tlen = 0x0,     num_desc = 0x0,     desc_limit = 0x6,     next_descq_idx = 0x45c,     coalesce_idx = 0x0,     flags = 0x0,     descs = {{         qw = {0x8024000120dffb00, 0x4}  # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)       }, {         qw = {  0x3800014231b108, 0x4}       }, {         qw = { 0x310000e4ee0fcf0, 0x8}       }, {         qw = {  0x3000012e9f8000, 0x8}       }, {         qw = {  0x59000dfb9d0000, 0x8}       }, {         qw = {  0x78000e02e40000, 0x8}       }}   },   sdma_hdr =  0x400300015528b000,  \u003C\u003C\u003C invalid pointer in the tx request structure   sdma_status = 0x0,                   SDMA_DESC0_LAST_DESC_FLAG (bit 62)   complete = 0x0,   priv = 0x0,   txq = 0xffff9cfea4e69880,   skb = 0xffff9d099809f400 }  If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array.  With this patch the crashes are no longer reproducible and the machine is stable.",null,[],[],[],[14],{"_key":15},"CVE-2024-26766",[17,19,21],{"_key":18},"DLA-3840-1",{"_key":20},"DLA-3842-1",{"_key":22},"DSA-5681-1",[],[],"2024-04-03T17:15:52.683Z","2026-04-28T20:27:41.066647Z",{"cisa_kev":28,"cisa_ransomware":28,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[30],{"url":31,"sources":32,"tags":34},"https://security-tracker.debian.org/tracker/CVE-2024-26766",[33],"osv_debian",[35],"Advisory",[],[],[39],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":40,"cvss_v4_0":9},{"baseScore":41,"baseSeverity":9,"vectorString":42,"impactScore":43,"exploitabilityScore":44},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[46],{"ecosystem":47,"name":48,"vendor":49,"product":48,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":48,"source":9,"versions":51},"Debian","linux","debian","deb",[52,58,61,64],{"version":53,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt5_10_216_1",true,"ecosystem","5.10.216-1","excluding",{"version":59,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_1_82_1","6.1.82-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},"lt6_7_7_1","6.7.7-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9}]