CVE-2024-49996
7.8 HIGHIn the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDa...
Published: 2024-10-21 · Last updated: 2026-06-15
Severity and scoring
- CVSS
- 7.8 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-120
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, linux_kernel |
| linux | debian_linux, linux_kernel |
Description
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev().
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2024-49996
- [Patch]https://git.kernel.org/stable/c/01cdddde39b065074fd48f07027757783cbf5b7d
- [Patch]https://git.kernel.org/stable/c/73b078e3314d4854fd8286f3ba65c860ddd3a3dd
- [Patch]https://git.kernel.org/stable/c/7b222d6cb87077faf56a687a72af1951cf78c8a9
- [Patch]https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919
- [Patch]https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9
- [Patch]https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07
- [Patch]https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404
- [Patch]https://git.kernel.org/stable/c/ec79e6170bcae8a6036a4b6960f5e7e59a785601
- [Other]https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- [Other]https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Related CVEs
Same vendor
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-46273 — In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapt... (8.6 HIGH)
- CVE-2026-46272 — In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode ... (4.7 MEDIUM)
- CVE-2026-46271 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: do WoW offloads only on primary link In case of multi... (7.8 HIGH)
- CVE-2026-46270 — In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() ... (8.4 HIGH)
Same CWE
- CVE-2026-12328 — Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (8.1 HIGH)
- CVE-2026-12192 — A vulnerability was determined in GALAYOU Y4 1.0.0 (8.8 HIGH)
- CVE-2026-36818 — Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo parameter... (7.5 HIGH)
- CVE-2026-36817 — Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo paramet... (7.5 HIGH)
- CVE-2026-36816 — Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo paramete... (7.5 HIGH)