CVE-2024-35831

io_uring: Fix release of pinned pages when __io_uaddr_map fails

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix release of pinned pages when __io_uaddr_map fails Looking at the error path of __io_uaddr_map, if we fail after pinning
the pages for any reasons, ret will be set to -EINVAL and the error
handler won't properly release the pinned pages. I didn't manage to trigger it without forcing a failure, but it can
happen in real life when memory is heavily fragmented.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: corregida la liberación de páginas fijadas cuando falla __io_uaddr_map. Mirando la ruta de error de __io_uaddr_map, si fallamos después de fijar las páginas por cualquier motivo, ret se establecerá en -EINVAL y el El controlador de errores no libera correctamente las páginas fijadas. No logré activarlo sin forzar un fallo, pero puede suceder en la vida real cuando la memoria está muy fragmentada.

A flaw was found in the `io_uring` subsystem in the Linux kernel, where pinned pages are not properly released if the `__io_uaddr_map` function fails. This could lead to resource leaks or other unintended behaviors.

In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix release of pinned pages when __io_uaddr_map fails Looking at the error path of __io_uaddr_map, if we fail after pinning the pages for any reasons, ret will be set to -EINVAL and the error handler won't properly release the pinned pages. I didn't manage to trigger it without forcing a failure, but it can happen in real life when memory is heavily fragmented.

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-17 CVE Published
2025-05-04 CVE Updated
2025-06-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/223ef474316466e9f61f6e0064f3a6fe4923a2c5	Vuln. Introduced
https://git.kernel.org/stable/c/3f3164ce6396138747984ee9e61158e248246300	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62	2024-03-26
https://git.kernel.org/stable/c/712e2c8415f55a4a4ddaa98a430b87f624109f69	2024-03-26
https://git.kernel.org/stable/c/4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a	2024-03-26
https://git.kernel.org/stable/c/67d1189d1095d471ed7fa426c7e384a7140a5dd7	2024-03-13

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35831	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2281173	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.5.7 Search vendor "Linux" for product "Linux Kernel" and version "6.5.7"		en		Affected