DEBIAN-CVE-2024-41096

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2024-41096

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-41096.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-41096

Upstream

CVE-2024-41096

Published

2024-07-29T16:15:04Z

Modified

2025-09-30T05:19:23.470055Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: PCI/MSI: Fix UAF in msicapabilityinit KFENCE reports the following UAF: BUG: KFENCE: use-after-free read in _pcienablemsirange+0x2c0/0x488 Use-after-free read at 0x0000000024629571 (in kfence-#12): _pcienablemsirange+0x2c0/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128 allocated by task 81 on cpu 7 at 10.808142s: _kmemcacheallocnode+0x1f0/0x2bc kmalloctrace+0x44/0x138 msiallocdesc+0x3c/0x9c msidomaininsertmsidesc+0x30/0x78 msisetupmsidesc+0x13c/0x184 _pcienablemsirange+0x258/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28 freed by task 81 on cpu 7 at 10.811436s: msidomainfreedescs+0xd4/0x10c msidomainfreelocked.part.0+0xc0/0x1d8 msidomainallocirqsalllocked+0xb4/0xbc pcimsisetupmsiirqs+0x30/0x4c _pcienablemsirange+0x2a8/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28 Descriptor allocation done in: _pcienablemsirange msicapabilityinit msisetupmsidesc msiinsertmsidesc msidomaininsertmsidesc msiallocdesc ... Freed in case of failure in _msidomainalloclocked() _pcienablemsirange msicapabilityinit pcimsisetupmsiirqs msidomainallocirqsalllocked msidomainalloclocked _msidomainalloclocked => fails msidomainfreelocked ... That failure propagates back to pcimsisetupmsiirqs() in msicapability_init() which accesses the descriptor for unmasking in the error exit path. Cure it by copying the descriptor and using the copy for the error exit path unmask operation. [ tglx: Massaged change log ]

References

https://security-tracker.debian.org/tracker/CVE-2024-41096

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.112-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.9.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.9.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / linux-6.1

Package

Name: linux-6.1
Purl: pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.119-1~deb11u1

Affected versions

6.*

6.1.106-3~deb11u1

6.1.106-3~deb11u2

6.1.106-3~deb11u3

6.1.112-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}