PT-2024-33836 · Linux+6 · Linux Kernel+6
Alexander Sverdlin
·
Published
2024-10-01
·
Updated
2026-03-13
·
CVE-2024-49998
CVSS v3.1
4.7
Medium
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Linux kernel (affected versions not specified)
Description:
A vulnerability has been resolved in the Linux kernel related to the shutdown sequence of the lan9303 driver. The issue involves two problems: one where the lan9303 driver calls dev get drvdata() at arbitrary runtime, and another where the setting of dp->conduit->dsa ptr = NULL is concurrent with receive packet processing, leading to potential null pointer dereferences. Closing the conduit interface solves both problems by stopping the phylink state machine and ensuring that ioctls, rtnetlinks, and ethtool requests on the user ports no longer propagate down to the driver.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
NULL Pointer Dereference
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Suse
Ubuntu