CVE-2024-40913
- Source
- https://cve.org/CVERecord?id=CVE-2024-40913
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40913.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-40913
- Downstream
- Related
- Published
- 2024-07-12T12:24:57.363Z
- Modified
- 2026-05-15T11:53:50.342685152Z
- Summary
- cachefiles: defer exposing anon_fd until after copy_to_user() succeeds
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: defer exposing anonfd until after copyto_user() succeeds
After installing the anonymous fd, we can now see it in userland and close it. However, at this point we may not have gotten the reference count of the cache, but we will put it during colse fd, so this may cause a cache UAF.
So grab the cache reference count before fdinstall(). In addition, by kernel convention, fd is taken over by the user land after fdinstall(), and the kernel should not call closefd() after that, i.e., it should call fdinstall() after everything is ready, thus fdinstall() is called after copyto_user() succeeds.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40913.json" }- References
-
- https://git.kernel.org/stable/c/4b4391e77a6bf24cba2ef1590e113d9b73b11039
- https://git.kernel.org/stable/c/b9f58cdae6a364a3270fd6b6a46e0fd4f7f8ce32
- https://git.kernel.org/stable/c/d2d3eb377a5d081bf2bed177d354a4f59b74da88
- https://git.kernel.org/stable/c/eac51d9daacd61dcc93333ff6a890cf3efc8c1c0
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40913.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-40913
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git