CVE-2024-39495

HIGH EPSS 24.0%
Published Jul 12, 20241y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Jul 12, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
24.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel* <5.4.279
linuxlinux_kernel*≥5.5  –  <5.10.221
linuxlinux_kernel*≥5.11  –  <5.15.162
linuxlinux_kernel*≥5.16  –  <6.1.95
linuxlinux_kernel*≥6.2  –  <6.6.35
linuxlinux_kernel*≥6.7  –  <6.9.6

References 8

  • git.kernel.org https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9
    Patch