high
7.8
CWE
416
Advisory Published
Updated

CVE-2024-49982: aoe: fix the potential use-after-free problem in more places

First published: Mon Oct 21 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Kernel>=5.10.214<5.10.227
Linux Kernel>=5.15.153<5.15.168
Linux Kernel>=6.1.83<6.1.113
Linux Kernel>=6.6.23<6.6.55
Linux Kernel>=6.7.11<6.8.2
Linux Kernel>=6.9<6.10.14
Linux Kernel>=6.11<6.11.3
Linux Kernel=4.19.311
Linux Kernel=5.4.273
Linux Kernel=6.12-rc1
debian/linux<=5.10.223-1<=5.10.226-1
6.1.123-1
6.1.128-1
6.12.12-1
6.12.15-1
debian/linux-6.1
6.1.119-1~deb11u1

Remedy

https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79

Remedy

https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3

Remedy

https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58

Remedy

https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f

Remedy

https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3

Remedy

https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254

Remedy

https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-49982?

    The severity of CVE-2024-49982 is classified as high due to the potential for use-after-free vulnerabilities in the Linux kernel.

  • How do I fix CVE-2024-49982?

    To fix CVE-2024-49982, upgrade to the latest patched versions of the Linux kernel provided by your distribution.

  • Which versions of the Linux kernel are affected by CVE-2024-49982?

    CVE-2024-49982 affects Linux kernel versions between 4.19.311 and 6.12-rc1, along with specific versions in between.

  • What types of systems are impacted by CVE-2024-49982?

    CVE-2024-49982 primarily impacts systems running specific versions of the Linux kernel across various Linux distributions.

  • Are there any workarounds for CVE-2024-49982?

    There are no recommended workarounds for CVE-2024-49982, so applying the security patch is essential.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203