CVE-2024-26791

btrfs: dev-replace: properly validate device names

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: dev-replace: properly validate device names There's a syzbot report that device name buffers passed to device replace are not properly checked for string termination which could lead to a read out of bounds in getname_kernel(). Add a helper that validates both source and target device name buffers. For devid as the source initialize the buffer to empty string in case something tries to read it later. This was originally analyzed and fixed in a different way by Edward Adam Davis (see links).

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84 patch
https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311 patch
https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d patch
https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9 patch
https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8 patch
https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1 patch
https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb patch
https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html patch

Frequently Asked Questions

What is the severity of CVE-2024-26791?
CVE-2024-26791 has been scored as a high severity vulnerability.
How to fix CVE-2024-26791?
To fix CVE-2024-26791, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-26791 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-26791 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-26791?
CVE-2024-26791 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.