cbcvebase.
CVE-2024-0582
published 2024-01-16

CVE-2024-0582: A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and…

PriorityP277high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.84%
95.8th percentile
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 6.6.8-1 (forky)linux 6.6.8-1 (forky)
linuxlinux_kernel
linuxlinux_kernel>= 0 < 6.6.8-16.6.8-1
linuxlinux_kernel>= 0 < 6.6.8-16.6.8-1
linuxlinux_kernel>= 6.4 < 6.6.56.6.5

Detection & IOCsextracted from sources · hover to see the quote

hashc56e022c0a27
hashc392cbecd8eca4c53f2bf508731257d9d0a21c2d
commandio_uring_register(..., IORING_REGISTER_PBUF_RING, ...)
commandmmap() with offset IORING_OFF_PBUF_RING
  • Detect exploitation attempts by monitoring for the sequence: IORING_REGISTER_PBUF_RING registration, followed by mmap() of the buffer ring, followed by IORING_UNREGISTER_PBUF_RING — this exact sequence is the exploit primitive.
  • The exploit achieves privilege escalation via a data-only technique (no code execution flow alteration); standard code-integrity controls will not detect this — focus on anomalous privilege changes in processes using io_uring.
  • Affected kernel versions start from the commit introducing user-mapped provided buffer ring support (Linux 6.4); fixed in Fedora with kernel 6.6.5 and Debian/sid with 6.6.8-1. Flag systems running kernels in range [6.4, 6.6.5).
  • ·Red Hat Enterprise Linux (RHEL) 6 through 9 are NOT affected because the upstream commit introducing the vulnerable code (c56e022) is not included in any RHEL shipping kernel.
  • ·The vulnerability only exists on Linux kernels >= 6.4 where IORING_REGISTER_PBUF_RING with user-mapped buffer rings was introduced; earlier kernels are not affected.
  • ·Exploitation requires local user access; this is not a remotely exploitable vulnerability.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.