CVE-2024-35870

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37

Description The issue is related to a Use-After-Free (UAF) bug in the smb2 reconnect server() function. This bug occurs when smb2 reconnect server() accesses a session that is already being torn down by another thread executing cifs put smb ses(). The vulnerability can be exploited when the client has a connection to the server but no session, or when another thread sets @ses->ses status to something different than SES EXITING. To fix this, it is necessary to unconditionally set @ses->ses status to SES EXITING and prevent other threads from setting a new status while tearing it down.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider disabling the smb2 reconnect server() function until a patch is available. Restrict access to the vulnerable module cifs to minimize the risk of exploitation. Avoid using the @ses->ipc parameter in the affected API endpoint until the issue is resolved.