#VU93345 Use-after-free in Linux kernel - CVE-2024-36910

Vulnerability identifier: #VU93345

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-36910

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the hv_uio_cleanup() and hv_uio_probe() functions in drivers/uio/uio_hv_generic.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/dabf12bf994318d939f70d47cfda30e47abb2c54
https://git.kernel.org/stable/c/6466a0f6d235c8a18c602cb587160d7e49876db9
https://git.kernel.org/stable/c/fe2c58602354fbd60680dc42ac3a0b772cda7d23
https://git.kernel.org/stable/c/3d788b2fbe6a1a1a9e3db09742b90809d51638b7

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.