CVE-2024-0582
published 2024-01-16CVE-2024-0582: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and…
PriorityP277high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.84%
95.8th percentile
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 6.6.8-1 (forky) | linux 6.6.8-1 (forky) |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.6.8-1 | 6.6.8-1 |
| linux | linux_kernel | >= 0 < 6.6.8-1 | 6.6.8-1 |
| linux | linux_kernel | >= 6.4 < 6.6.5 | 6.6.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for the sequence: IORING_REGISTER_PBUF_RING registration, followed by mmap() of the buffer ring, followed by IORING_UNREGISTER_PBUF_RING — this exact sequence is the exploit primitive. ↗
- →The exploit achieves privilege escalation via a data-only technique (no code execution flow alteration); standard code-integrity controls will not detect this — focus on anomalous privilege changes in processes using io_uring. ↗
- →Affected kernel versions start from the commit introducing user-mapped provided buffer ring support (Linux 6.4); fixed in Fedora with kernel 6.6.5 and Debian/sid with 6.6.8-1. Flag systems running kernels in range [6.4, 6.6.5). ↗
- ·Red Hat Enterprise Linux (RHEL) 6 through 9 are NOT affected because the upstream commit introducing the vulnerable code (c56e022) is not included in any RHEL shipping kernel. ↗
- ·The vulnerability only exists on Linux kernels >= 6.4 where IORING_REGISTER_PBUF_RING with user-mapped buffer rings was introduced; earlier kernels are not affected. ↗
- ·Exploitation requires local user access; this is not a remotely exploitable vulnerability. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux-starfive-6.5 vulnerabilities
osv·2024-02-29·CVSS 7.0
CVE-2023-51780 [HIGH] linux-starfive-6.5 vulnerabilities
linux-starfive-6.5 vulnerabilities
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a
OSV
linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5 vulnerabilities
osv·2024-02-28·CVSS 7.0
CVE-2023-51780 [HIGH] linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5 vulnerabilities
linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5 vulnerabilities
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A lo
OSV
linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive vulnerabilities
osv·2024-02-23·CVSS 7.0
CVE-2023-51780 [HIGH] linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive vulnerabilities
linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive vulnerabilities
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly chec
OSV
linux-azure vulnerabilities
osv·2024-02-23·CVSS 4.9
CVE-2023-34324 [MEDIUM] linux-azure vulnerabilities
linux-azure vulnerabilities
Marek Marczykowski-Górecki discovered that the Xen event channel
infrastructure implementation in the Linux kernel contained a race
condition. An attacker in a guest VM could possibly use this to cause a
denial of service (paravirtualized device unavailability). (CVE-2023-34324)
Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver
in the Linux kernel during device removal. A privileged attacker could use
this to cause a denial of service (system crash). (CVE-2023-35827)
Tom Dohrmann discovered that the Secure Encrypted Virtualization (SEV)
implementation for AMD processors in the Linux kernel contained a race
condition when accessing MMIO registers. A local attacker in a SEV guest VM
could possibly use this to cause a denial of service (s
GHSA
GHSA-vqhw-2g88-5gvm: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap()
ghsa_unreviewed·2024-01-16
CVE-2024-0582 [HIGH] CWE-416 GHSA-vqhw-2g88-5gvm: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap()
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
OSV
CVE-2024-0582: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap()
osv·2024-01-16·CVSS 7.8
CVE-2024-0582 [HIGH] CVE-2024-0582: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap()
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
VulnCheck
Linux Kernel Use After Free
vulncheck·2024·CVSS 7.8
CVE-2024-0582 [HIGH] Linux Kernel Use After Free
Linux Kernel Use After Free
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/
Exploit PoC: https://vulncheck.com/xdb/494d2265863f; https://vulncheck.com/xdb/3310aa824bc4; https://vulncheck.com/xdb/ec7832b63942; https://vulncheck.com/xdb/3c50fe9f072c; https://vulncheck.com/xdb/a072578b3a49
Ubuntu
Linux kernel (StarFive) vulnerabilities
vendor_ubuntu·2024-02-29·CVSS 7.0
CVE-2024-0565 [HIGH] Linux kernel (StarFive) vulnerabilities
Title: Linux kernel (StarFive) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check f
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2024-02-28·CVSS 7.0
CVE-2024-0565 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bit
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2024-02-23·CVSS 7.0
CVE-2023-51781 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bit
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2024-02-23·CVSS 4.9
CVE-2023-46862 [MEDIUM] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Marek Marczykowski-Górecki discovered that the Xen event channel
infrastructure implementation in the Linux kernel contained a race
condition. An attacker in a guest VM could possibly use this to cause a
denial of service (paravirtualized device unavailability). (CVE-2023-34324)
Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver
in the Linux kernel during device removal. A privileged attacker could use
this to cause a denial of service (system crash). (CVE-2023-35827)
Tom Dohrmann discovered that the Secure Encrypted Virtualization (SEV)
implementation for AMD processors in the Linux kernel contained a race
condition when accessing MMIO registers. A local
Red Hat
kernel: io_uring: page use-after-free vulnerability via buffer ring mmap
vendor_redhat·2024-01-08·CVSS 7.8
CVE-2024-0582 [HIGH] CWE-416 kernel: io_uring: page use-after-free vulnerability via buffer ring mmap
kernel: io_uring: page use-after-free vulnerability via buffer ring mmap
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Statement: Red Hat Enterprise Linux is not affected by this vulnerability as the upstream commit that introduced this flaw (c56e022 "io_uring: add support for user mapped provided buffer
Debian
CVE-2024-0582: linux - A memory leak flaw was found in the Linux kernel’s io_uring functionality in how...
vendor_debian·2024·CVSS 7.8
CVE-2024-0582 [HIGH] CVE-2024-0582: linux - A memory leak flaw was found in the Linux kernel’s io_uring functionality in how...
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 6.6.8-1)
sid: resolved (fixed in 6.6.8-1)
trixie: resolved (fixed in 6.6.8-1)
No detection rules found.
No public exploits indexed.
Securelist
Vulnerability landscape analysis for Q4 2024
blogs_securelist·2025-02-26
Vulnerability landscape analysis for Q4 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism.
## Statistics on registered vulnerabilities
This section contains statistics on registered vulnerabilities. Data is sourced from the CVE portal: cve.org.
Total number of registered vulnerabilities a
Securelist
Exploits and vulnerabilities in Q4 2024
blogs_securelist·2025-02-26·CVSS 6.5
CVE-2024-43572 [MEDIUM] Exploits and vulnerabilities in Q4 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-43572—Remote code execution vulnerability in Microsoft Management Console
CVE-2024-43451—NetNTLM hash disclosure vulnerability
CVE-2024-49039—Elevation of privilege vulnerability in Windows Task Scheduler
Conclusion and advice
Authors
Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leve
Checkpoint
1st April – Threat Intelligence Report
blogs_checkpoint·2024-04-01
CVE-2023-48022 1st April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The US and UK governments have announced a criminal indictment and sanctions against APT31, a group of Chinese hackers, for their role in allegedly conducting attacks against companies in the US, as well as government officials in the UK. Check Point has shared its insights on the event and referenced a past report about APT31,
Bugzilla
CVE-2024-0582 kernel: io_uring: page use-after-free vulnerability via buffer ring mmap
bugzilla·2023-12-11·CVSS 7.8
CVE-2024-0582 [HIGH] CVE-2024-0582 kernel: io_uring: page use-after-free vulnerability via buffer ring mmap
CVE-2024-0582 kernel: io_uring: page use-after-free vulnerability via buffer ring mmap
Since commit c56e022c0a27 ("io_uring: add support for user mapped provided buffer ring"), landed in Linux 6.4, io_uring makes it possible to allocate, mmap, and deallocate "buffer rings".
A "buffer ring" can be allocated with io_uring_register(..., IORING_REGISTER_PBUF_RING, ...) and later deallocated with io_uring_register(..., IORING_UNREGISTER_PBUF_RING, ...). It can be mapped into userspace using mmap() with offset IORING_OFF_PBUF_RING|..., which creates a VM_PFNMAP mapping, meaning the MM subsystem will treat the mapping as a set of opaque page frame numbers not associated with any corresponding pages; this implies that the calling code is responsible for ensuring that the mapped memory can not be
https://access.redhat.com/security/cve/CVE-2024-0582https://bugs.chromium.org/p/project-zero/issues/detail?id=2504https://bugzilla.redhat.com/show_bug.cgi?id=2254050https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c392cbecd8eca4c53f2bf508731257d9d0a21c2dhttp://www.openwall.com/lists/oss-security/2024/04/24/3https://access.redhat.com/security/cve/CVE-2024-0582https://bugs.chromium.org/p/project-zero/issues/detail?id=2504https://bugzilla.redhat.com/show_bug.cgi?id=2254050https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c392cbecd8eca4c53f2bf508731257d9d0a21c2d
2024-01-16
Published
Exploited in the wild