CVE-2024-44934

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description A use-after-free vulnerability has been identified in the Linux kernel, specifically in the net/bridge/br multicast.c module. This issue arises because the bridge does not ensure that all previous garbage collection cycles have been completed before removing a port. As a result, a port can be freed while group timers are still running, leading to a use-after-free condition. The vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information.

Recommendations To resolve this issue, update the Linux kernel to version 6.6.50 or later. If updating is not feasible, consider temporarily disabling the br multicast port group expired() function or restricting access to the vulnerable module until a patch is available. Additionally, ensure that all previous garbage collection cycles have finished before freeing a port by using flush work before freeing the port.