PT-2024-4103 · Linux+8 · Linux Kernel+8

Zhongqiu Han

·

Published

2024-05-09

·

Updated

2025-09-29

·

CVE-2024-36899

CVSS v3.1

7.0

High

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The issue occurs when the GPIO chip device file is being closed by invoking gpio chrdev release(), where watched lines is freed by bitmap free(), but the unregistration of lineinfo changed nb notifier chain failed due to waiting write rwsem. A race condition leads to the use-after-free of watched lines. The side effect of this issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway.
Recommendations To fix the issue, call the bitmap free() function after the unregistration of lineinfo changed nb notifier chain. As a temporary workaround, consider disabling the lineinfo changed notify() function until a patch is available. Restrict access to the gpiolib module to minimize the risk of exploitation. Avoid using the watched lines variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use After Free

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416CWE-362

Related Identifiers

ALSA-2024:6997
ALSA-2025_16880
AZL-55548
BDU:2024-04554
CVE-2024-36899
DLA-4075-1
DLA-4076-1
DSA-5860-1
INFSA-2024_6997
MGASA-2024-0263
MGASA-2024-0266
OESA-2024-1706
OESA-2024-1707
OESA-2024-1960
OPENSUSE-SU-2024_2372-1
OPENSUSE-SU-2024_2394-1
OPENSUSE-SU-2024_3623-1
OPENSUSE-SU-2024_3624-1
OPENSUSE-SU-2024_3625-1
OPENSUSE-SU-2024_3631-1
OPENSUSE-SU-2024_3632-1
OPENSUSE-SU-2024_3635-1
OPENSUSE-SU-2024_3636-1
OPENSUSE-SU-2024_3638-1
OPENSUSE-SU-2024_3639-1
OPENSUSE-SU-2024_3643-1
OPENSUSE-SU-2024_3655-1
OPENSUSE-SU-2024_3666-1
OPENSUSE-SU-2024_3670-1
OPENSUSE-SU-2024_3672-1
OPENSUSE-SU-2024_3679-1
OPENSUSE-SU-2024_3680-1
OPENSUSE-SU-2024_3694-1
OPENSUSE-SU-2024_3695-1
OPENSUSE-SU-2024_3696-1
OPENSUSE-SU-2024_3697-1
OPENSUSE-SU-2024_3700-1
OPENSUSE-SU-2024_3701-1
OPENSUSE-SU-2024_3702-1
OPENSUSE-SU-2024_3706-1
OPENSUSE-SU-2024_3710-1
OPENSUSE-SU-2024_3780-1
OPENSUSE-SU-2024_3793-1
OPENSUSE-SU-2024_3806-1
OPENSUSE-SU-2024_3815-1
OPENSUSE-SU-2024_3829-1
OPENSUSE-SU-2024_3830-1
OPENSUSE-SU-2024_3831-1
OPENSUSE-SU-2024_3833-1
OPENSUSE-SU-2024_3837-1
OPENSUSE-SU-2024_3840-1
OPENSUSE-SU-2024_3842-1
OPENSUSE-SU-2024_3851-1
OPENSUSE-SU-2024_3852-1
OPENSUSE-SU-2024_3855-1
OPENSUSE-SU-2024_3857-1
OPENSUSE-SU-2024_3860-1
OPENSUSE-SU-2024_3880-1
OPENSUSE-SU-2024_3881-1
OPENSUSE-SU-2024_4122-1
OPENSUSE-SU-2024_4123-1
OPENSUSE-SU-2024_4124-1
OPENSUSE-SU-2024_4125-1
OPENSUSE-SU-2024_4127-1
OPENSUSE-SU-2024_4207-1
OPENSUSE-SU-2024_4208-1
OPENSUSE-SU-2024_4214-1
OPENSUSE-SU-2024_4216-1
OPENSUSE-SU-2024_4218-1
OPENSUSE-SU-2024_4228-1
OPENSUSE-SU-2024_4234-1
OPENSUSE-SU-2024_4235-1
OPENSUSE-SU-2024_4236-1
OPENSUSE-SU-2024_4243-1
OPENSUSE-SU-2024_4266-1
OPENSUSE-SU-2024_4275-1
OPENSUSE-SU-2025_0107-1
OPENSUSE-SU-2025_0109-1
OPENSUSE-SU-2025_0110-1
OPENSUSE-SU-2025_0114-1
OPENSUSE-SU-2025_0115-1
OPENSUSE-SU-2025_0124-1
OPENSUSE-SU-2025_0138-1
OPENSUSE-SU-2025_0146-1
OPENSUSE-SU-2025_0150-1
OPENSUSE-SU-2025_0158-1
OPENSUSE-SU-2025_0164-1
OPENSUSE-SU-2025_0187-1
OPENSUSE-SU-2025_0248-1
OPENSUSE-SU-2025_0249-1
OPENSUSE-SU-2025_0251-1
OPENSUSE-SU-2025_0252-1
OPENSUSE-SU-2025_0253-1
OPENSUSE-SU-2025_0254-1
OPENSUSE-SU-2025_0255-1
OPENSUSE-SU-2025_0260-1
OPENSUSE-SU-2025_0261-1
OPENSUSE-SU-2025_0264-1
OPENSUSE-SU-2025_0266-1
RHSA-2024:6997
RHSA-2024:7004
RHSA-2024:7005
RHSA-2024_6997
SUSE-SU-2024:2372-1
SUSE-SU-2024:2385-1
SUSE-SU-2024:2394-1
SUSE-SU-2024:2495-1
SUSE-SU-2024:2571-1
SUSE-SU-2024:2896-1
SUSE-SU-2024:2939-1
SUSE-SU-2024:2973-1
SUSE-SU-2024:3623-1
SUSE-SU-2024:3624-1
SUSE-SU-2024:3625-1
SUSE-SU-2024:3628-1
SUSE-SU-2024:3631-1
SUSE-SU-2024:3632-1
SUSE-SU-2024:3635-1
SUSE-SU-2024:3636-1
SUSE-SU-2024:3638-1
SUSE-SU-2024:3639-1
SUSE-SU-2024:3643-1
SUSE-SU-2024:3655-1
SUSE-SU-2024:3666-1
SUSE-SU-2024:3670-1
SUSE-SU-2024:3672-1
SUSE-SU-2024:3679-1
SUSE-SU-2024:3680-1
SUSE-SU-2024:3694-1
SUSE-SU-2024:3695-1
SUSE-SU-2024:3696-1
SUSE-SU-2024:3697-1
SUSE-SU-2024:3700-1
SUSE-SU-2024:3701-1
SUSE-SU-2024:3702-1
SUSE-SU-2024:3706-1
SUSE-SU-2024:3710-1
SUSE-SU-2024:3780-1
SUSE-SU-2024:3793-1
SUSE-SU-2024:3806-1
SUSE-SU-2024:3815-1
SUSE-SU-2024:3829-1
SUSE-SU-2024:3830-1
SUSE-SU-2024:3831-1
SUSE-SU-2024:3833-1
SUSE-SU-2024:3837-1
SUSE-SU-2024:3840-1
SUSE-SU-2024:3842-1
SUSE-SU-2024:3851-1
SUSE-SU-2024:3852-1
SUSE-SU-2024:3855-1
SUSE-SU-2024:3857-1
SUSE-SU-2024:3860-1
SUSE-SU-2024:3880-1
SUSE-SU-2024:3881-1
SUSE-SU-2024:4122-1
SUSE-SU-2024:4123-1
SUSE-SU-2024:4124-1
SUSE-SU-2024:4125-1
SUSE-SU-2024:4127-1
SUSE-SU-2024:4207-1
SUSE-SU-2024:4208-1
SUSE-SU-2024:4214-1
SUSE-SU-2024:4216-1
SUSE-SU-2024:4218-1
SUSE-SU-2024:4228-1
SUSE-SU-2024:4234-1
SUSE-SU-2024:4235-1
SUSE-SU-2024:4236-1
SUSE-SU-2024:4243-1
SUSE-SU-2024:4266-1
SUSE-SU-2024:4275-1
SUSE-SU-2025:0107-1
SUSE-SU-2025:0109-1
SUSE-SU-2025:0110-1
SUSE-SU-2025:0114-1
SUSE-SU-2025:0115-1
SUSE-SU-2025:0124-1
SUSE-SU-2025:0138-1
SUSE-SU-2025:0146-1
SUSE-SU-2025:0150-1
SUSE-SU-2025:0158-1
SUSE-SU-2025:0164-1
SUSE-SU-2025:0187-1
SUSE-SU-2025:0248-1
SUSE-SU-2025:0249-1
SUSE-SU-2025:0251-1
SUSE-SU-2025:0252-1
SUSE-SU-2025:0253-1
SUSE-SU-2025:0254-1
SUSE-SU-2025:0255-1
SUSE-SU-2025:0260-1
SUSE-SU-2025:0261-1
SUSE-SU-2025:0264-1
SUSE-SU-2025:0266-1
SUSE-SU-2025:20008-1
SUSE-SU-2025:20028-1
USN-6949-1
USN-6949-2
USN-6952-1
USN-6952-2
USN-6955-1
USN-7387-1
USN-7387-2
USN-7387-3
USN-7388-1
USN-7389-1
USN-7390-1
USN-7407-1
USN-7421-1
USN-7458-1
USN-7459-1
USN-7459-2

Affected Products

Almalinux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Hat
Red Os
Suse
Ubuntu