CVE-2024-27393

xen-netfront: Add missing skb_mark_for_recycle

Description

In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Add missing skb_mark_for_recycle Notice that skb_mark_for_recycle() is introduced later than fixes tag in commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks").

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Third-Party Advisory openwall.com Third-Party Advisory xen.org
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1 patch
https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6 patch
https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629 patch
https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4 patch
https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f patch
http://www.openwall.com/lists/oss-security/2024/05/08/4 mailing list third party advisory
http://xenbits.xen.org/xsa/advisory-457.html third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-27393?
CVE-2024-27393 has been scored as a medium severity vulnerability.
How to fix CVE-2024-27393?
To fix CVE-2024-27393, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-27393 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-27393 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-27393?
CVE-2024-27393 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.