CVE-2024-44954

Oct. 10, 2024, 6:02 p.m.

4.7
Medium

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: Fix racy access to midibuf There can be concurrent accesses to line6 midibuf from both the URB completion callback and the rawmidi API access. This could be a cause of KMSAN warning triggered by syzkaller below (so put as reported-by here). This patch protects the midibuf call of the former code path with a spinlock for avoiding the possible races.

Product(s) Impacted

Vendor Product Versions
Linux
  • Linux Kernel
  • *, 6.11

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel 6.11 rc1 / / / / / /
o linux linux_kernel 6.11 rc2 / / / / / /

References

https://git.kernel.org/stable/c/15b7a03205b31bc5623378c190d22b7ff60026f1
https://git.kernel.org/stable/c/40f3d5cb0e0cbf7fa697913a27d5d361373bdcf5
https://git.kernel.org/stable/c/51d87f11dd199bbc6a85982b088ff27bde53b48a
https://git.kernel.org/stable/c/535df7f896a568a8a1564114eaea49d002cb1747
https://git.kernel.org/stable/c/643293b68fbb6c03f5e907736498da17d43f0d81
https://git.kernel.org/stable/c/a54da4b787dcac60b598da69c9c0072812b8282d
https://git.kernel.org/stable/c/c80f454a805443c274394b1db0d1ebf477abd94e
https://git.kernel.org/stable/c/e7e7d2b180d8f297cea6db43ea72402fd33e1a29

Tags

416baaa9-dc9f-4396-8d5f-8c081fb06d67
CWE-362
2024-09-04
CVE-2024-44954

CVSS Score

4.7 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Sept. 4, 2024, 7:15 p.m.
Last Modified: Oct. 10, 2024, 6:02 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.