PT-2024-9022 · Linux+5 · Linux Kernel+5
Published
2024-05-30
·
Updated
2025-03-28
·
CVE-2024-36894
CVSS v3.1
5.6
Medium
| Vector | AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Linux kernel (affected versions not specified)
Description:
The issue is related to a race condition between the AIO completion handler and AIO cancel in the Linux kernel's usb: gadget: f fs component. This occurs when the FFS application issues an AIO cancel call while the UDC is handling a soft disconnect, leading to accessing a stale/hanging pointer. The problem arises due to the lack of locking between the AIO completion handler and AIO cancel. To fix this, the usb ep free request() function is moved back to ffs user copy worker(), ensuring that it explicitly sets io data->req to NULL after freeing it within the ffs->eps lock.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Improper Locking
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu