CVE-2024-42286

scsi: qla2xxx: validate nvme_local_port correctly

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: validate nvme_local_port correctly The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000 RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000 RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030 R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4 R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8 FS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0 Call Trace: qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx] ? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx] qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx] qla_register_fcport_fn+0x54/0xc0 [qla2xxx] Exit the qla_nvme_register_remote() function when qla_nvme_register_hba() fails and correctly validate nvme_local_port.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/549aac9655320c9b245a24271b204668c5d40430 patch
https://git.kernel.org/stable/c/e1f010844443c389bc552884ac5cfa47de34d54c patch
https://git.kernel.org/stable/c/a3ab508a4853a9f5ae25a7816a4889f09938f63c patch
https://git.kernel.org/stable/c/cde43031df533751b4ead37d173922feee2f550f patch
https://git.kernel.org/stable/c/7cec2c3bfe84539c415f5e16f989228eba1d2f1e patch
https://git.kernel.org/stable/c/f6be298cc1042f24d521197af29c7c4eb95af4d5 patch
https://git.kernel.org/stable/c/3eac973eb5cb2b874b3918f924798afc5affd46b patch
https://git.kernel.org/stable/c/eb1d4ce2609584eeb7694866f34d4b213caa3af9 patch

Frequently Asked Questions

What is the severity of CVE-2024-42286?
CVE-2024-42286 has been scored as a medium severity vulnerability.
How to fix CVE-2024-42286?
To fix CVE-2024-42286, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42286 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-42286 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42286?
CVE-2024-42286 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.