CVE-2024-53186

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4", "name": "https://git.kernel.org/stable/c/96261adb998a3b513468b6ce17dbec76be5507d4", "tags": ["Patch"], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e", "name": "https://git.kernel.org/stable/c/9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e", "tags": ["Patch"], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800", "name": "https://git.kernel.org/stable/c/a96f9eb7add30ba0fafcfe7b7aca090978196800", "tags": ["Patch"], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33", "name": "https://git.kernel.org/stable/c/f20b77f7897e6aab9ce5527e6016ad2be5d70a33", "tags": ["Patch"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in SMB request handling\n\nA race condition exists between SMB request handling in\n`ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the\nworkqueue handler `handle_ksmbd_work()`. This leads to a UAF.\n- KASAN: slab-use-after-free Read in handle_ksmbd_work\n- KASAN: slab-use-after-free in rtlock_slowlock_locked\n\nThis race condition arises as follows:\n- `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero:\n `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);`\n- Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using\n `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls\n `ksmbd_conn_free()`, which frees `conn`.\n- However, after `handle_ksmbd_work()` decrements `conn->r_count`,\n it may still access `conn->r_count_q` in the following line:\n `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)`\n This results in a UAF, as `conn` has already been freed.\n\nThe discovery of this UAF can be referenced in the following PR for\nsyzkaller's support for SMB requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-53186", "ASSIGNER": "cve@kernel.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}}, "publishedDate": "2024-12-27T14:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.11", "versionStartIncluding": "6.10.14"}, {"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12"}, {"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.11.3"}, {"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.6.64", "versionStartIncluding": "6.6.55"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-02-10T18:15Z"}