CVE-2024-26865

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: The issue is related to a use-after-free vulnerability in the reqsk timer handler() function. This vulnerability can be triggered when a reqsk timer is fired and a use-after-free (UAF) occurs while freeing the reqsk. The scenario involves creating a per netns TCP listener using unshare(CLONE NEWNET) and rds tcp listen init(), then connecting to it using syz-executor and creating a reqsk. When syz-executor exits immediately, the netns is dismantled, and the reqsk timer is fired, leading to the UAF. The reqsk assumes that the listener guarantees netns safety until all reqsk timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.