DEBIAN-CVE-2024-40900
- Source
- https://security-tracker.debian.org/tracker/CVE-2024-40900
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-40900.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-40900
- Upstream
- Published
- 2024-07-12T13:15:13Z
- Modified
- 2025-09-25T23:29:20.553113Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: cachefiles: remove requests from xarray during flushing requests Even with CACHEFILESDEAD set, we can still read the requests, so in the following concurrency the request may be used after it has been freed: mount | daemonthread1 | daemonthread2 ------------------------------------------------------------ cachefilesondemandinitobject cachefilesondemandsendreq REQA = kzalloc(sizeof(*req) + datalen) waitforcompletion(&REQA->done) cachefilesdaemonread cachefilesondemanddaemonread // close dev fd cachefilesflushreqs complete(&REQA->done) kfree(REQA) xalock(&cache->reqs); cachefilesondemandselectreq req->msg.opcode != CACHEFILESOPREAD // req use-after-free !!! xaunlock(&cache->reqs); xa_destroy(&cache->reqs) Hence remove requests from cache->reqs when flushing them to avoid accessing freed requests.
- References
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.99-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:11 / linux-6.1
Package
- Name
- linux-6.1
- Purl
- pkg:deb/debian/linux-6.1?arch=source