CVE-2024-39493

CVSS v3.1 5.5 (Medium)

EPSS 0.04 % (5^th)

Affected Products 1

Advisories 19

NVD Status Analyzed

In the Linux kernel, the following vulnerability has been resolved:

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

Using completion_done to determine whether the caller has gone
away only works after a complete call. Furthermore it's still
possible that the caller has not yet called wait_for_completion,
resulting in another potential UAF.

Fix this by making the caller use cancel_work_sync and then freeing
the memory safely.

Weaknesses

CWE-401: Missing Release of Memory after Effective Lifetime

CVE Status: PUBLISHED
NVD Status: Analyzed
CNA: kernel.org
Published Date: 2024-07-10 08:15:11
(2 months ago)
Updated Date: 2024-07-31 15:38:54
(6 weeks ago)

Affected Products

Linux

Linux Kernel

Configuration #1

	CPE23	From	Up To
Linux Kernel from 4.19.312 version and prior 4.19.316 version	cpe:2.3:o:linux:linux_kernel	>= 4.19.312	< 4.19.316
Linux Kernel from 5.4.274 version and prior 5.4.278 version	cpe:2.3:o:linux:linux_kernel	>= 5.4.274	< 5.4.278
Linux Kernel from 5.10.215 version and prior 5.10.219 version	cpe:2.3:o:linux:linux_kernel	>= 5.10.215	< 5.10.219
Linux Kernel from 5.15.154 version and prior 5.15.161 version	cpe:2.3:o:linux:linux_kernel	>= 5.15.154	< 5.15.161
Linux Kernel from 6.1.84 version and prior 6.1.94 version	cpe:2.3:o:linux:linux_kernel	>= 6.1.84	< 6.1.94
Linux Kernel from 6.6.24 version and prior 6.6.34 version	cpe:2.3:o:linux:linux_kernel	>= 6.6.24	< 6.6.34
Linux Kernel from 6.9 version and prior 6.9.5 version	cpe:2.3:o:linux:linux_kernel	>= 6.9	< 6.9.5