Use-after-free in Linux kernel

#VU92308 Use-after-free in Linux kernel

Cybersecurity Help s.r.o.

Published: 2024-06-20

Vulnerability identifier: #VU92308

Vulnerability risk: Low

CVSSv3.1: 7.7 [AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-38561

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the kunit_try_catch_run() function in lib/kunit/try-catch.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel:

External links
http://git.kernel.org/stable/c/1f2ebd3758e1cef6a1f998a1f7ea73310dcb1699
http://git.kernel.org/stable/c/1ec7ccb4cd4b6f72c2998b07880fa7aaf8dfe1d4
http://git.kernel.org/stable/c/8f5c841a559ccb700c8d27a3ca645b7a5f59b4f5
http://git.kernel.org/stable/c/b0b755cb5a5e0d7168c3ab1b3814b0d3cad9f017
http://git.kernel.org/stable/c/f8aa1b98ce40184521ed95ec26cc115a255183b2

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 24.03 LTS update for kernel

Ubuntu update for linux-lowlatency

Ubuntu update for linux-oem-6.8

openEuler 22.03 LTS SP1 update for kernel

openEuler 22.03 LTS SP3 update for kernel

openEuler 22.03 LTS SP4 update for kernel

Ubuntu update for linux-nvidia-lowlatency

Ubuntu update for linux

Use-after-free in Linux kernel kunit