CVE-2024-26737

MEDIUM

Published 2024-04-03T17:00:23.414Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-26737. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

5.5

/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2023.03.01

0.000

probability

of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-01-25

Exploit Probability

Percentile: 0.178

Higher than 17.8% of all CVEs

Attack Vector Metrics

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel

The following race is possible between bpf_timer_cancel_and_free
and bpf_timer_cancel. It will lead a UAF on the timer->timer.

bpf_timer_cancel();
spin_lock();
t = timer->time;
spin_unlock();

bpf_timer_cancel_and_free();
spin_lock();
t = timer->timer;
timer->timer = NULL;
spin_unlock();
hrtimer_cancel(&t->timer);
kfree(t);

/* UAF on t */
hrtimer_cancel(&t->timer);

In bpf_timer_cancel_and_free, this patch frees the timer->timer
after a rcu grace period. This requires a rcu_head addition
to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init,
this does not need a kfree_rcu because it is still under the
spin_lock and timer->timer has not been visible by others yet.

In bpf_timer_cancel, rcu_read_lock() is added because this helper
can be used in a non rcu critical section context (e.g. from
a sleepable bpf prog). Other timer->timer usages in helpers.c
have been audited, bpf_timer_cancel() is the only place where
timer->timer is used outside of the spin_lock.

Another solution considered is to mark a t->flag in bpf_timer_cancel
and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,
it busy waits for the flag to be cleared before kfree(t). This patch
goes with a straight forward solution and frees timer->timer after
a rcu grace period.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Linux

Affected Versions:

b00628b1c7d595ae5b544e059c27b1f5828314b4 b00628b1c7d595ae5b544e059c27b1f5828314b4 b00628b1c7d595ae5b544e059c27b1f5828314b4 b00628b1c7d595ae5b544e059c27b1f5828314b4 b00628b1c7d595ae5b544e059c27b1f5828314b4

Linux

Affected Versions:

5.15 0 5.15.150 6.1.80 6.6.19 6.7.7 6.8

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-8x8h-8p2w-8g4f

Advisory Details

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_free and bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel(); spin_lock(); t = timer->time; spin_unlock(); bpf_timer_cancel_and_free(); spin_lock(); t = timer->timer; timer->timer = NULL; spin_unlock(); hrtimer_cancel(&t->timer); kfree(t); /* UAF on t */ hrtimer_cancel(&t->timer); In bpf_timer_cancel_and_free, this patch frees the timer->timer after a rcu grace period. This requires a rcu_head addition to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, this does not need a kfree_rcu because it is still under the spin_lock and timer->timer has not been visible by others yet. In bpf_timer_cancel, rcu_read_lock() is added because this helper can be used in a non rcu critical section context (e.g. from a sleepable bpf prog). Other timer->timer usages in helpers.c have been audited, bpf_timer_cancel() is the only place where timer->timer is used outside of the spin_lock. Another solution considered is to mark a t->flag in bpf_timer_cancel and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, it busy waits for the flag to be cleared before kfree(t). This patch goes with a straight forward solution and frees timer->timer after a rcu grace period.

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-26737

WEB https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f

WEB https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c

WEB https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33

WEB https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6

WEB https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5

Advisory provided by GitHub Security Advisory Database. Published: April 3, 2024, Modified: November 4, 2024

References

https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c

https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5

https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6

https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33

https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f

Published: 2024-04-03T17:00:23.414Z

Last Modified: 2025-05-04T08:55:16.760Z

Copied to clipboard!

CVE-2024-26737

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

Linux

Affected Versions:

Linux

Affected Versions:

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!