#VU90151 Use-after-free in Linux kernel


Published: 2024-05-31

Vulnerability identifier: #VU90151

Vulnerability risk: Medium

CVSSv3.1: 5 [AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-35863

CWE-ID: CWE-416

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the is_valid_oplock_break() function in fs/smb/client/misc.c. A remote non-authenticated attacker can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel:

External links
http://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac
http://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2
http://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825
http://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for the Linux Kernel
Ubuntu update for linux-oracle
Ubuntu update for linux-aws
SUSE update for the Linux Kernel
Ubuntu update for linux-gke
SUSE update for the Linux Kernel
Ubuntu update for linux
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel