CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-50026: scsi: wd33c93: Don't use stale scsi_pointer value

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: wd33c93: Don't use stale scsi_pointer value

A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93:
Move the SCSI pointer to private command data") which results in an oops
in wd33c93_intr(). That commit added the scsi_pointer variable and
initialized it from hostdata->connected. However, during selection,
hostdata->connected is not yet valid. Fix this by getting the current
scsi_pointer from hostdata->selecting.

Classification

CVE ID: CVE-2024-50026

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.63% (scored less or equal to compared to others)

EPSS Date: 2025-06-02 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50026
https://git.kernel.org/stable/c/3afeceda855dea9b85cddd96307d4d17c8742005
https://git.kernel.org/stable/c/e04642a207f1d2ae28a08624c04c67f5681f3451
https://git.kernel.org/stable/c/b60ff1a95c7c386cdd6153de3d7d85edaeabd800
https://git.kernel.org/stable/c/9023ed8d91eb1fcc93e64dc4962f7412b1c4cbec

Timeline

2025-03-06 09:45:32 UTC
Tenable Plugins

Linux Distros Unpatched Vulnerability : CVE-2024-50026
2025-05-04 10:40:21 UTC
CVE

scsi: wd33c93: Don't use stale scsi_pointer value