CVE-2024-35887

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to a use-after-free bug in the ax25 dev device down() function, which is caused by concurrent access to a resource, leading to a race condition. When the ax25 device is detaching, the ax25 dev device down() function calls ax25 ds del timer() to clean up the slave timer. However, if the timer handler is running, ax25 ds del timer() will return directly, resulting in use-after-free bugs. One scenario is shown below: (Thread 1) | (Thread 2) | ax25 ds timeout() ax25 dev device down() | ax25 ds del timer() | del timer() | ax25 dev put() //FREE | | ax25 dev-> //USE To mitigate the bug, when the device is detaching, use timer shutdown sync() to stop the timer.

Recommendations To resolve the issue, use timer shutdown sync() to stop the timer when the device is detaching. As a temporary workaround, consider disabling the ax25 dev device down() function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the ax25 ds del timer() function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.