CVE-2024-53186

HIGH EPSS 7.1%
Published Dec 27, 20241y ago · Modified Jun 17, 20261w ago
7.0 CVSS 3.1
High
Find Similar
Published Dec 27, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in SMB request handling A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle_ksmbd_work()`. This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked This race condition arises as follows: - `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero: `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);` - Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls `ksmbd_conn_free()`, which frees `conn`. - However, after `handle_ksmbd_work()` decrements `conn->r_count`, it may still access `conn->r_count_q` in the following line: `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)` This results in a UAF, as `conn` has already been freed. The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests.

CVSS Details

Base Score
7.0
Exploitability
1.0
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
7.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-362
CWE-416 Use After Free Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥6.6.55  –  <6.6.64
linuxlinux_kernel*≥6.10.14  –  <6.11
linuxlinux_kernel*≥6.11.3  –  <6.11.11
linuxlinux_kernel*≥6.12  –  <6.12.2

References 4

  • git.kernel.org https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33
    Patch