CVE-2024-27393 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Add missing skb_mark_for_recycle Notice that skb_mark_for_recycle() is introduced later than fixes tag in commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks").

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Linux	Linux Kernel
Redhat	Enterprise Linux Rhel E4s Rhel Eus

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc2::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
kernel-0:5.14.0-427.24.1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:4349	2024-07-08T00:00:00Z
kernel-0:5.14.0-427.24.1.el9_4	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:4349	2024-07-08T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
kernel-0:5.14.0-70.112.1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:5257	2024-08-13T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.71.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:4108	2024-06-26T00:00:00Z
kernel-rt-0:5.14.0-284.71.1.rt14.356.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2024:4106	2024-06-26T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/05/08/4
http://xenbits.xen.org/xsa/advisory-457.html
https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f
https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629
https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1
https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6
https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4
https://lore.kernel.org/linux-cve-announce/2024050835-CVE-2024-27393-b804@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-27393
https://www.cve.org/CVERecord?id=CVE-2024-27393

History

Tue, 08 Apr 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.9:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc2::::::
Vendors & Products		Linux Linux linux Kernel

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/05/08/4 http://xenbits.xen.org/xsa/advisory-457.html

Tue, 05 Nov 2024 10:45:00 +0000

Type	Values Removed	Values Added
References	http://www.openwall.com/lists/oss-security/2024/05/08/4 http://xenbits.xen.org/xsa/advisory-457.html

Mon, 04 Nov 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Aug 2024 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s
CPEs		cpe:/a:redhat:rhel_e4s:9.0
Vendors & Products		Redhat rhel E4s

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-09T16:37:07.973Z

Updated: 2024-12-19T08:54:09.014Z

Reserved: 2024-02-25T13:47:42.677Z

Link: CVE-2024-27393

Vulnrichment

Updated: 2024-08-02T00:34:52.268Z

NVD

Status : Analyzed

Published: 2024-05-14T15:12:26.993

Modified: 2025-04-08T19:42:11.457

Link: CVE-2024-27393

Redhat

Severity : Low

Publid Date: 2024-05-08T00:00:00Z

Links: CVE-2024-27393 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object