CVE-2024-53173

Jan. 14, 2025, 5:11 p.m.

7.8
High

Description

In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() in nfs4_open_release() before the rpc_task is freed.

Product(s) Impacted

Vendor Product Versions
Linux
  • Linux Kernel
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-416
Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /

References

https://git.kernel.org/stable/c/1cfae9575296f5040cdc84b0730e79078c081d2d
https://git.kernel.org/stable/c/229a30ed42bb87bcb044c5523fabd9e4f0e75648
https://git.kernel.org/stable/c/2ab9639f16b05d948066a6c4cf19a0fdc61046ff
https://git.kernel.org/stable/c/2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889
https://git.kernel.org/stable/c/5237a297ffd374a1c4157a53543b7a69d7bbbc03
https://git.kernel.org/stable/c/7bf6bf130af8ee7d93a99c28a7512df3017ec759
https://git.kernel.org/stable/c/b56ae8e715557b4fc227c9381d2e681ffafe7b15
https://git.kernel.org/stable/c/ba6e6c04f60fe52d91520ac4d749d372d4c74521
https://git.kernel.org/stable/c/e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77

Tags

416baaa9-dc9f-4396-8d5f-8c081fb06d67
CWE-416
2024-12-27
CVE-2024-53173

CVSS Score

7.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 27, 2024, 2:15 p.m.
Last Modified: Jan. 14, 2025, 5:11 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.