CVE-2024-50047

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue is related to a use-after-free vulnerability in the async decryption function of the Linux kernel's SMB client. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the decrypt raw data() function is used in parallel, causing a slab-use-after-free error. The error is triggered by an async decryption operation, such as a large read, which crashes with a slab-use-after-free way down in the crypto API.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the decrypt raw data() function until a patch is available. Additionally, restrict access to the vulnerable SMB client module to minimize the risk of exploitation. Avoid using the smb2 decrypt offload() function in the affected API endpoint until the issue is resolved. At the moment, there is no other information about additional mitigation measures.