CVE-2024-27022Use of Uninitialized Resource in Linux

CWE-908Use of Uninitialized ResourceCWE-362Race ConditionCWE-248Uncaught Exception18 documents8 sources
Severity
7.8HIGHNVD
OSV6.8OSV5.5
EPSS
0.0%
top 98.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
LinuxLinux KernelDebian Linux+2 more
Timeline
PublishedMay 1
Latest updateDec 12

Description

In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_v

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

NVDlinux/linux_kernel6.16.1.90+3
Debianlinux/linux_kernel< 6.1.90-1+2
Ubuntulinux/linux_kernel< 6.8.0-38.38

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

7
OSV
linux-gkeop vulnerabilities2024-12-12
OSV
linux-oracle vulnerabilities2024-07-26
OSV
linux-aws vulnerabilities2024-07-23
OSV
linux-gke, linux-nvidia vulnerabilities2024-07-16
OSV
linux, linux-azure, linux-gcp, linux-ibm, linux-intel, linux-lowlatency, linux-oem-6.8, linux-raspi vulnerabilities2024-07-11

📋Vendor Advisories

9
Ubuntu
Linux kernel (GKE) vulnerabilities2024-12-12
Ubuntu
Linux kernel vulnerabilities2024-07-26
Ubuntu
Linux kernel vulnerabilities2024-07-23
Ubuntu
Linux kernel vulnerabilities2024-07-16
Ubuntu
Linux kernel vulnerabilities2024-07-11

💬Community

1
Bugzilla
CVE-2024-27022 kernel: fork: defer linking file vma until vma is fully initialized2024-05-01
CVE-2024-27022 — Use of Uninitialized Resource in Linux | cvebase