CVE-2024-26583

tls: fix race between async notify and socket close

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

tls: fix race between async notify and socket close

The submitting thread (one which called recvmsg/sendmsg)
may exit as soon as the async crypto handler calls complete()
so any code past that point risks touching already freed data.

Try to avoid the locking and extra flags altogether.
Have the main thread hold an extra reference, this way
we can depend solely on the atomic ref counter for
synchronization.

Don't futz with reiniting the completion, either, we are now
tightly controlling when completion fires.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tls: corrige la ejecución entre la notificación asíncrona y el cierre del socket. El hilo de envío (uno que llamó recvmsg/sendmsg) puede salir tan pronto como el controlador criptográfico asíncrono llame a complete(), por lo que cualquier código pasado ese punto corre el riesgo de tocar datos ya liberados. Intente evitar por completo el bloqueo y las banderas adicionales. Haga que el hilo principal contenga una referencia adicional, de esta manera podemos depender únicamente del contador de referencia atómica para la sincronización. Tampoco te preocupes por reiniciar la finalización, ahora estamos controlando estrictamente cuándo se activa la finalización.

A race condition vulnerability was found in the tls subsystem of the Linux kernel. The submitting thread that calls recvmsg/sendmsg may exit as soon as the async crypto handler calls complete(); any code past that point risks touching already freed data. This could lead to a use-after-free issue and a denial of service condition.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-02-21 CVE Published
2024-03-16 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-416: Use After Free

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/0cada33241d9de205522e3858b18e506ca5cce2c	Vuln. Introduced
https://git.kernel.org/stable/c/cf4cc95a15f599560c7abd89095a7973a4b9cec3	Vuln. Introduced
https://git.kernel.org/stable/c/8dc5025c6a444548ab5e2ef9e6f4479f71c7c1a0	Vuln. Introduced
https://git.kernel.org/stable/c/9b81d43da15e56ed89f083f326561acdcaf549ce	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f17d21ea73918ace8afb9c2d8e734dbf71c2c9d7	2024-05-25
https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01	2024-02-23
https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a	2024-02-23
https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33	2024-02-23
https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d	2024-02-10

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26583	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2265520	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.15.160 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15.160"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.1.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.1.79"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.6.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.6.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.7.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.44 Search vendor "Linux" for product "Linux Kernel" and version "5.4.44"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.71 Search vendor "Linux" for product "Linux Kernel" and version "5.4.71"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.6.16 Search vendor "Linux" for product "Linux Kernel" and version "5.6.16"		en		Affected