CVE-2024-39496

EPSS 0.01%
Veröffentlicht 12.07.2024 13:15:12
Zuletzt bearbeitet 03.11.2025 22:17:05
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: fix use-after-free due to race with dev replace

While loading a zone's info during creation of a block group, we can race
with a device replace operation and then trigger a use-after-free on the
device that was just replaced (source device of the replace operation).

This happens because at btrfs_load_zone_info() we extract a device from
the chunk map into a local variable and then use the device while not
under the protection of the device replace rwsem. So if there's a device
replace operation happening when we extract the device and that device
is the source of the replace operation, we will trigger a use-after-free
if before we finish using the device the replace operation finishes and
frees the device.

Fix this by enlarging the critical section under the protection of the
device replace rwsem so that all uses of the device are done inside the
critical section.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version < 6.1.95

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.35

Linux ≫ Linux Kernel Version >= 6.7 < 6.9.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.009

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9

Patch

https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6

Patch

https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43

Patch

https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752

Patch

https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

https://nvd.nist.gov/vuln/detail/CVE-2024-39496

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39496

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39496

EUVD