CVE-2024-50154
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Summary
In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb
Impacted products
Vendor Product Version
Linux Linux Version: 4.2
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-50154",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-11T14:25:48.087506Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-11T14:58:32.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/inet_connection_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8459d61fbf24967839a70235165673148c7c7f17",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "5071beb59ee416e8ab456ac8647a4dabcda823b1",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "997ae8da14f1639ce6fb66a063dab54031cd61b3",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "51e34db64f4e43c7b055ccf881b7f3e0c31bb26d",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            },
            {
              "lessThan": "e8c526f2bdf1845bedaf6a478816a3d06fa78b8f",
              "status": "affected",
              "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/inet_connection_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.170",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n  \"\"\"\n  We are seeing a use-after-free from a bpf prog attached to\n  trace_tcp_retransmit_synack. The program passes the req-\u003esk to the\n  bpf_sk_storage_get_tracing kernel helper which does check for null\n  before using it.\n  \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer-\u003eentry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req-\u003esk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n  1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n     but del_timer_sync() is missed\n\n  2. reqsk timer is executed and scheduled again\n\n  3. req-\u003esk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n     reqsk timer still has another one, and inet_csk_accept() does not\n     clear req-\u003esk for non-TFO sockets\n\n  4. sk is close()d\n\n  5. reqsk timer is executed again, and BPF touches req-\u003esk\n\nLet\u0027s not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:34:16.350Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17"
        },
        {
          "url": "https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f"
        }
      ],
      "title": "tcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50154",
    "datePublished": "2024-11-07T09:31:30.855Z",
    "dateReserved": "2024-10-21T19:36:19.960Z",
    "dateUpdated": "2024-12-19T09:34:16.350Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50154\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-07T10:15:06.987\",\"lastModified\":\"2024-12-11T15:15:13.367\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().\\n\\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\\n\\n  \\\"\\\"\\\"\\n  We are seeing a use-after-free from a bpf prog attached to\\n  trace_tcp_retransmit_synack. The program passes the req-\u003esk to the\\n  bpf_sk_storage_get_tracing kernel helper which does check for null\\n  before using it.\\n  \\\"\\\"\\\"\\n\\nThe commit 83fccfc3940c (\\\"inet: fix potential deadlock in\\nreqsk_queue_unlink()\\\") added timer_pending() in reqsk_queue_unlink() not\\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\\nsmall race window.\\n\\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\\nto clear timer-\u003eentry.pprev and marks it as not pending.\\n\\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\\ncontinue running and send multiple SYN+ACKs until it expires.\\n\\nThe reported UAF could happen if req-\u003esk is close()d earlier than the timer\\nexpiration, which is 63s by default.\\n\\nThe scenario would be\\n\\n  1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\\n     but del_timer_sync() is missed\\n\\n  2. reqsk timer is executed and scheduled again\\n\\n  3. req-\u003esk is accept()ed and reqsk_put() decrements rsk_refcnt, but\\n     reqsk timer still has another one, and inet_csk_accept() does not\\n     clear req-\u003esk for non-TFO sockets\\n\\n  4. sk is close()d\\n\\n  5. reqsk timer is executed again, and BPF touches req-\u003esk\\n\\nLet\u0027s not use timer_pending() by passing the caller context to\\n__inet_csk_reqsk_queue_drop().\\n\\nNote that reqsk timer is pinned, so the issue does not happen in most\\nuse cases. [1]\\n\\n[0]\\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\\n\\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\\nbpf_sk_storage_get_tracing+0x2e/0x1b0\\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\\nbpf_trace_run2+0x4c/0xc0\\ntcp_rtx_synack+0xf9/0x100\\nreqsk_timer_handler+0xda/0x3d0\\nrun_timer_softirq+0x292/0x8a0\\nirq_exit_rcu+0xf5/0x320\\nsysvec_apic_timer_interrupt+0x6d/0x80\\nasm_sysvec_apic_timer_interrupt+0x16/0x20\\nintel_idle_irq+0x5a/0xa0\\ncpuidle_enter_state+0x94/0x273\\ncpu_startup_entry+0x15e/0x260\\nstart_secondary+0x8a/0x90\\nsecondary_startup_64_no_verify+0xfa/0xfb\\n\\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\\n\\nallocated by task 0 on cpu 9 at 260507.901592s:\\nsk_prot_alloc+0x35/0x140\\nsk_clone_lock+0x1f/0x3f0\\ninet_csk_clone_lock+0x15/0x160\\ntcp_create_openreq_child+0x1f/0x410\\ntcp_v6_syn_recv_sock+0x1da/0x700\\ntcp_check_req+0x1fb/0x510\\ntcp_v6_rcv+0x98b/0x1420\\nipv6_list_rcv+0x2258/0x26e0\\nnapi_complete_done+0x5b1/0x2990\\nmlx5e_napi_poll+0x2ae/0x8d0\\nnet_rx_action+0x13e/0x590\\nirq_exit_rcu+0xf5/0x320\\ncommon_interrupt+0x80/0x90\\nasm_common_interrupt+0x22/0x40\\ncpuidle_enter_state+0xfb/0x273\\ncpu_startup_entry+0x15e/0x260\\nstart_secondary+0x8a/0x90\\nsecondary_startup_64_no_verify+0xfa/0xfb\\n\\nfreed by task 0 on cpu 9 at 260507.927527s:\\nrcu_core_si+0x4ff/0xf10\\nirq_exit_rcu+0xf5/0x320\\nsysvec_apic_timer_interrupt+0x6d/0x80\\nasm_sysvec_apic_timer_interrupt+0x16/0x20\\ncpuidle_enter_state+0xfb/0x273\\ncpu_startup_entry+0x15e/0x260\\nstart_secondary+0x8a/0x90\\nsecondary_startup_64_no_verify+0xfa/0xfb\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp/dccp: No use timer_pending() en reqsk_queue_unlink(). Martin KaFai Lau inform\u00f3 de un use-after-free [0] en reqsk_timer_handler(). \\\"\\\"\\\" Estamos viendo un use-after-free de un programa bpf adjunto a trace_tcp_retransmit_synack. El programa pasa el req-\u0026gt;sk al ayudante del kernel bpf_sk_storage_get_tracing que comprueba si hay valores nulos antes de usarlo. \\\"\\\"\\\" El commit 83fccfc3940c (\\\"inet: soluciona un posible bloqueo en reqsk_queue_unlink()\\\") agreg\u00f3 timer_pending() en reqsk_queue_unlink() para no llamar a del_timer_sync() desde reqsk_timer_handler(), pero introdujo una peque\u00f1a ventana de ejecuci\u00f3n. Antes de que se llame al temporizador, expire_timers() llama a detach_timer(timer, true) para borrar timer-\u0026gt;entry.pprev y lo marca como no pendiente. Si reqsk_queue_unlink() comprueba timer_pending() justo despu\u00e9s de que expire_timers() llame a detach_timer(), TCP no detectar\u00e1 del_timer_sync(); el temporizador reqsk seguir\u00e1 funcionando y enviar\u00e1 varios SYN+ACK hasta que expire. El UAF informado podr\u00eda ocurrir si se cierra req-\u0026gt;sk antes de la expiraci\u00f3n del temporizador, que es 63 s por defecto. El escenario ser\u00eda 1. inet_csk_complete_hashdance() llama a inet_csk_reqsk_queue_drop(), pero se omite del_timer_sync() 2. se ejecuta el temporizador reqsk y se programa nuevamente 3. se acepta req-\u0026gt;sk y reqsk_put() decrementa rsk_refcnt, pero el temporizador reqsk a\u00fan tiene otro, e inet_csk_accept() no borra req-\u0026gt;sk para sockets que no sean TFO 4. se cierra sk 5. se ejecuta nuevamente el temporizador reqsk y BPF toca req-\u0026gt;sk No usemos timer_pending() pasando el contexto del llamador a __inet_csk_reqsk_queue_drop(). Tenga en cuenta que el temporizador reqsk est\u00e1 fijado, por lo que el problema no ocurre en la mayor\u00eda de los casos de uso. [1] [0] ERROR: KFENCE: lectura de use-after-free en bpf_sk_storage_get_tracing+0x2e/0x1b0 Lectura de use-after-free en 0x00000000a891fb3a (en kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, tama\u00f1o=2376, cach\u00e9=TCPv6 asignado por la tarea 0 en la CPU 9 en 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb liberado por la tarea 0 en la CPU 9 a las 260507.927527 s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpu_idle_entrada_estado+0xfb/0x273 cpu_inicio_entrada+0x15e/0x260 inicio_secundario+0x8a/0x90 inicio_secundario_64_sin_verificaci\u00f3n+0xfa/0xfb\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.1.11\",\"versionEndExcluding\":\"4.2\",\"matchCriteriaId\":\"3CD6E092-00BA-470A-BD6E-9FF38E84DB99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2\",\"versionEndExcluding\":\"5.15.170\",\"matchCriteriaId\":\"D37DEB92-5329-47EC-94B1-051761C1F534\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.115\",\"matchCriteriaId\":\"C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.59\",\"matchCriteriaId\":\"5D15CA59-D15C-4ACD-8B03-A072DEAD2081\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.6\",\"matchCriteriaId\":\"E4486B12-007B-4794-9857-F07145637AA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.