CVE-2024-27005 — Race Condition in Linux

CWE-362 — Race Condition CWE-667 — Improper Locking15 documents8 sources

Severity

6.3MEDIUMNVD

OSV6.8

EPSS

0.0%

top 99.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Linux +7 more

Timeline

PublishedMay 1

Latest updateJul 26

Description

In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to icc_node::req_list. The icc_set_bw() function will eventually iterate over req_list while only holding icc_bw_lock, but req_list can be modified while only holding icc_lock. This causes races between icc_se…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.0 | Impact: 5.2

Affected Packages12 packages

▶NVDlinux/linux_kernel5.15.133 — 5.16+4

▶Debianlinux/linux_kernel< 6.8.9-1+1

▶Ubuntulinux/linux_kernel< 6.8.0-38.38

▶CVEListV5linux/linux9be2957f014d91088db1eb5dd09d9a03d7184dce — fe549d8e976300d0dd75bd904eb216bed8b145e0+6

▶debiandebian/linux< linux 6.8.9-1 (forky)

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗Patch: git.kernel.org ↗

🔴Vulnerability Details

OSV

linux-oracle vulnerabilities↗2024-07-26

▶

OSV

linux-aws vulnerabilities↗2024-07-23

▶

OSV

linux-gke, linux-nvidia vulnerabilities↗2024-07-16

▶

OSV

linux, linux-azure, linux-gcp, linux-ibm, linux-intel, linux-lowlatency, linux-oem-6.8, linux-raspi vulnerabilities↗2024-07-11

▶

OSV

CVE-2024-27005: In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mute↗2024-05-01

▶

📋Vendor Advisories

Ubuntu

Linux kernel vulnerabilities↗2024-07-26

▶

Ubuntu

Linux kernel vulnerabilities↗2024-07-23

▶

Ubuntu

Linux kernel vulnerabilities↗2024-07-16

▶

Ubuntu

Linux kernel vulnerabilities↗2024-07-11

▶

Microsoft

interconnect: Don't access req_list while it's being manipulated↗2024-05-14

▶

💬Community

Bugzilla

CVE-2024-27005 kernel: interconnect: Don't access req_list while it's being manipulated↗2024-05-01

▶

External resources

NVD MITRE

Affected products10

Debian Linuxfixed in linux 6.8.9-1 (forky)

Linux≥ 9be2957f014d91088db1eb5dd09d9a03d7184dce, < fe549d8e976300d0dd75bd904eb216bed8b145e0≥ ee42bfc791aa3cd78e29046f26a09d189beb3efb, < 19ec82b3cad1abef2a929262b8c1528f4e0c192d≥ af42269c3523492d71ebbe11fefae2653e9cdc78, < d0d04efa2e367921654b5106cc5c05e3757c2b42+4 more

Linux Kernel≥ 0, < 6.8.9-1≥ 5.15.133, < 5.16≥ 6.1.55, < 6.2+4 more

Msrc Azl3 Hyperv-daemons 6.6.22.1-2 ON Azure Linux 3.0

Msrc Azl3 Hyperv-daemons 6.6.35.1-1 ON Azure Linux 3.0

Msrc Azure Linux 3.0 ARM

Msrc Azure Linux 3.0 X64

Msrc Cbl2 Kernel 5.15.186.1-1 ON CBL Mariner 2.0

Msrc Cbl2 Kernel 5.15.200.1-1 ON CBL Mariner 2.0

Msrc Cbl2 Kernel 5.15.202.1-1 ON CBL Mariner 2.0

Disclosure

PublishedMay 1, 2024

Latest updateJul 26, 2024