CVE-2024-40913

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-40913

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40913.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-40913

Downstream

BELL-CVE-2024-40913

DEBIAN-CVE-2024-40913

DLA-4008-1

DSA-5731-1

OESA-2024-1960

RHSA-2024:9315

SUSE-SU-2024:3194-1

SUSE-SU-2024:3195-1

SUSE-SU-2024:3383-1

UBUNTU-CVE-2024-40913

USN-6999-1

USN-6999-2

USN-7004-1

USN-7005-1

USN-7005-2

USN-7008-1

USN-7029-1

Related

Published

2024-07-12T13:15:14Z

Modified

2025-09-17T15:32:25Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: defer exposing anonfd until after copyto_user() succeeds

After installing the anonymous fd, we can now see it in userland and close it. However, at this point we may not have gotten the reference count of the cache, but we will put it during colse fd, so this may cause a cache UAF.

So grab the cache reference count before fdinstall(). In addition, by kernel convention, fd is taken over by the user land after fdinstall(), and the kernel should not call closefd() after that, i.e., it should call fdinstall() after everything is ready, thus fdinstall() is called after copyto_user() succeeds.

References

Affected packages