{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-46858", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-11T15:12:18.291Z", "datePublished": "2024-09-27T12:42:49.167Z", "dateUpdated": "2025-12-24T13:21:35.775Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T13:21:35.775Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: Fix uaf in __timer_delete_sync\n\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\n\n CPU1\t\t\t\tCPU2\n ==== ====\n net_rx_action\n napi_poll netlink_sendmsg\n __napi_poll netlink_unicast\n process_backlog netlink_unicast_kernel\n __netif_receive_skb genl_rcv\n __netif_receive_skb_one_core netlink_rcv_skb\n NF_HOOK genl_rcv_msg\n ip_local_deliver_finish genl_family_rcv_msg\n ip_protocol_deliver_rcu genl_family_rcv_msg_doit\n tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\n tcp_v4_do_rcv mptcp_nl_remove_addrs_list\n tcp_rcv_established mptcp_pm_remove_addrs_and_subflows\n tcp_data_queue remove_anno_list_by_saddr\n mptcp_incoming_options mptcp_pm_del_add_timer\n mptcp_pm_del_add_timer kfree(entry)\n\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \"pm.lock\", the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\n\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \"entry->add_timer\".\n\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \"entry->x\" uaf."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/pm_netlink.c"], "versions": [{"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "0e7814b028cd50b3ff79659d23dfa9da6a1e75e1", "status": "affected", "versionType": "git"}, {"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "3554482f4691571fc4b5490c17ae26896e62171c", "status": "affected", "versionType": "git"}, {"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "67409b358500c71632116356a0b065f112d7b707", "status": "affected", "versionType": "git"}, {"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "6452b162549c7f9ef54655d3fb9977b9192e6e5b", "status": "affected", "versionType": "git"}, {"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "12134a652b0a10064844ea235173e70246eba6dc", "status": "affected", "versionType": "git"}, {"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "b4cd80b0338945a94972ac3ed54f8338d2da2076", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/pm_netlink.c"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.227", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.168", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.111", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.52", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.11", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.10.227"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.15.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.1.111"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.52"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.10.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0e7814b028cd50b3ff79659d23dfa9da6a1e75e1"}, {"url": "https://git.kernel.org/stable/c/3554482f4691571fc4b5490c17ae26896e62171c"}, {"url": "https://git.kernel.org/stable/c/67409b358500c71632116356a0b065f112d7b707"}, {"url": "https://git.kernel.org/stable/c/6452b162549c7f9ef54655d3fb9977b9192e6e5b"}, {"url": "https://git.kernel.org/stable/c/12134a652b0a10064844ea235173e70246eba6dc"}, {"url": "https://git.kernel.org/stable/c/b4cd80b0338945a94972ac3ed54f8338d2da2076"}], "title": "mptcp: pm: Fix uaf in __timer_delete_sync", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-29T13:57:46.692938Z", "id": "CVE-2024-46858", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-29T13:57:52.178Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:19:44.734Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:19:44.734Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-46858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-29T13:57:46.692938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-29T13:57:48.385Z"}}], "cna": {"title": "mptcp: pm: Fix uaf in __timer_delete_sync", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "0e7814b028cd50b3ff79659d23dfa9da6a1e75e1", "versionType": "git"}, {"status": "affected", "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "3554482f4691571fc4b5490c17ae26896e62171c", "versionType": "git"}, {"status": "affected", "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "67409b358500c71632116356a0b065f112d7b707", "versionType": "git"}, {"status": "affected", "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "6452b162549c7f9ef54655d3fb9977b9192e6e5b", "versionType": "git"}, {"status": "affected", "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "12134a652b0a10064844ea235173e70246eba6dc", "versionType": "git"}, {"status": "affected", "version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8", "lessThan": "b4cd80b0338945a94972ac3ed54f8338d2da2076", "versionType": "git"}], "programFiles": ["net/mptcp/pm_netlink.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.10"}, {"status": "unaffected", "version": "0", "lessThan": "5.10", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.227", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.168", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.111", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.52", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.11", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/mptcp/pm_netlink.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/0e7814b028cd50b3ff79659d23dfa9da6a1e75e1"}, {"url": "https://git.kernel.org/stable/c/3554482f4691571fc4b5490c17ae26896e62171c"}, {"url": "https://git.kernel.org/stable/c/67409b358500c71632116356a0b065f112d7b707"}, {"url": "https://git.kernel.org/stable/c/6452b162549c7f9ef54655d3fb9977b9192e6e5b"}, {"url": "https://git.kernel.org/stable/c/12134a652b0a10064844ea235173e70246eba6dc"}, {"url": "https://git.kernel.org/stable/c/b4cd80b0338945a94972ac3ed54f8338d2da2076"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: Fix uaf in __timer_delete_sync\n\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\n\n CPU1\t\t\t\tCPU2\n ==== ====\n net_rx_action\n napi_poll netlink_sendmsg\n __napi_poll netlink_unicast\n process_backlog netlink_unicast_kernel\n __netif_receive_skb genl_rcv\n __netif_receive_skb_one_core netlink_rcv_skb\n NF_HOOK genl_rcv_msg\n ip_local_deliver_finish genl_family_rcv_msg\n ip_protocol_deliver_rcu genl_family_rcv_msg_doit\n tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\n tcp_v4_do_rcv mptcp_nl_remove_addrs_list\n tcp_rcv_established mptcp_pm_remove_addrs_and_subflows\n tcp_data_queue remove_anno_list_by_saddr\n mptcp_incoming_options mptcp_pm_del_add_timer\n mptcp_pm_del_add_timer kfree(entry)\n\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \"pm.lock\", the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\n\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \"entry->add_timer\".\n\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \"entry->x\" uaf."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.227", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.111", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.52", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.10.11", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11", "versionStartIncluding": "5.10"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T13:21:35.775Z"}}}, "cveMetadata": {"cveId": "CVE-2024-46858", "state": "PUBLISHED", "dateUpdated": "2025-12-24T13:21:35.775Z", "dateReserved": "2024-09-11T15:12:18.291Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-09-27T12:42:49.167Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B62FC78-DC08-42C4-9B1A-D1F4632DBBE5", "versionEndExcluding": "6.1.111", "versionStartIncluding": "5.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02ADDA94-95BB-484D-8E95-63C0428A28E3", "versionEndExcluding": "6.6.52", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5DB5367-F1F5-4200-B3B3-FDF8AFC3D255", "versionEndExcluding": "6.10.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*", "matchCriteriaId": "E0005AEF-856E-47EB-BFE4-90C46899394D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*", "matchCriteriaId": "39889A68-6D34-47A6-82FC-CD0BF23D6754", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*", "matchCriteriaId": "B8383ABF-1457-401F-9B61-EE50F4C61F4F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*", "matchCriteriaId": "B77A9280-37E6-49AD-B559-5B23A3B1DC3D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*", "matchCriteriaId": "DE5298B3-04B4-4F3E-B186-01A58B5C75A6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: Fix uaf in __timer_delete_sync\n\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\n\n CPU1\t\t\t\tCPU2\n ==== ====\n net_rx_action\n napi_poll netlink_sendmsg\n __napi_poll netlink_unicast\n process_backlog netlink_unicast_kernel\n __netif_receive_skb genl_rcv\n __netif_receive_skb_one_core netlink_rcv_skb\n NF_HOOK genl_rcv_msg\n ip_local_deliver_finish genl_family_rcv_msg\n ip_protocol_deliver_rcu genl_family_rcv_msg_doit\n tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\n tcp_v4_do_rcv mptcp_nl_remove_addrs_list\n tcp_rcv_established mptcp_pm_remove_addrs_and_subflows\n tcp_data_queue remove_anno_list_by_saddr\n mptcp_incoming_options mptcp_pm_del_add_timer\n mptcp_pm_del_add_timer kfree(entry)\n\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \"pm.lock\", the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\n\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \"entry->add_timer\".\n\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \"entry->x\" uaf."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp:pm: Se corrige uaf en __timer_delete_sync Hay dos rutas para acceder a mptcp_pm_del_add_timer, lo que genera una condici\u00f3n de carrera: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entrada) En remove_anno_list_by_saddr(que se ejecuta en la CPU2), despu\u00e9s de salir de la zona cr\u00edtica protegida por \"pm.lock\", se liberar\u00e1 la entrada, lo que lleva a la aparici\u00f3n de uaf en mptcp_pm_del_add_timer(que se ejecuta en la CPU1). Mantener una referencia a add_timer dentro del bloqueo y llamar a sk_stop_timer_sync() con esta referencia, en lugar de \"entrada->add_timer\". Mueva list_del(&entry->list) a mptcp_pm_del_add_timer y dentro del bloqueo pm, no acceda directamente a ning\u00fan miembro de la entrada fuera del bloqueo pm, lo que puede evitar un uaf \"entry->x\" similar."}], "id": "CVE-2024-46858", "lastModified": "2025-12-24T14:15:46.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-27T13:15:17.353", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e7814b028cd50b3ff79659d23dfa9da6a1e75e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12134a652b0a10064844ea235173e70246eba6dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3554482f4691571fc4b5490c17ae26896e62171c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6452b162549c7f9ef54655d3fb9977b9192e6e5b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/67409b358500c71632116356a0b065f112d7b707"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b4cd80b0338945a94972ac3ed54f8338d2da2076"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10281", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.30.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:10265", "cpe": "cpe:/o:redhat:rhel_aus:8.4", "package": "kernel-0:4.18.0-305.145.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:10265", "cpe": "cpe:/o:redhat:rhel_tus:8.4", "package": "kernel-0:4.18.0-305.145.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:10265", "cpe": "cpe:/o:redhat:rhel_e4s:8.4", "package": "kernel-0:4.18.0-305.145.1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:9500", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.129.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9500", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.129.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9500", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.129.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:10262", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.81.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2024:9605", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.14.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9605", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.14.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9942", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "kernel-0:5.14.0-70.121.1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:9943", "cpe": "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package": "kernel-rt-0:5.14.0-70.121.1.rt21.193.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:9497", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.92.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9498", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.92.1.rt14.377.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9546", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "kernel-0:5.14.0-427.44.1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}], "bugzilla": {"description": "kernel: mptcp: pm: Fix uaf in __timer_delete_sync", "id": "2315210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315210"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmptcp: pm: Fix uaf in __timer_delete_sync\nThere are two paths to access mptcp_pm_del_add_timer, result in a race\ncondition:\nCPU1CPU2\n==== ====\nnet_rx_action\nnapi_poll netlink_sendmsg\n__napi_poll netlink_unicast\nprocess_backlog netlink_unicast_kernel\n__netif_receive_skb genl_rcv\n__netif_receive_skb_one_core netlink_rcv_skb\nNF_HOOK genl_rcv_msg\nip_local_deliver_finish genl_family_rcv_msg\nip_protocol_deliver_rcu genl_family_rcv_msg_doit\ntcp_v4_rcv mptcp_pm_nl_flush_addrs_doit\ntcp_v4_do_rcv mptcp_nl_remove_addrs_list\ntcp_rcv_established mptcp_pm_remove_addrs_and_subflows\ntcp_data_queue remove_anno_list_by_saddr\nmptcp_incoming_options mptcp_pm_del_add_timer\nmptcp_pm_del_add_timer kfree(entry)\nIn remove_anno_list_by_saddr(running on CPU2), after leaving the critical\nzone protected by \"pm.lock\", the entry will be released, which leads to the\noccurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).\nKeeping a reference to add_timer inside the lock, and calling\nsk_stop_timer_sync() with this reference, instead of \"entry->add_timer\".\nMove list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,\ndo not directly access any members of the entry outside the pm lock, which\ncan avoid similar \"entry->x\" uaf."], "name": "CVE-2024-46858", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-46858\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46858\nhttps://lore.kernel.org/linux-cve-announce/2024092744-CVE-2024-46858-dab6@gregkh/T"], "statement": "Actual only for latest version of Red Hat Enterprise Linux 9 and latest version of Red Hat Enterprise Linux 8.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-416: Use After Free vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure that only authorized users and roles can execute or modify code. Red Hat also enforces least functionality, enabling only essential features, services, and ports. Hardening guidelines ensure the most restrictive settings required for operations, while baseline configurations enforce safe memory allocation and deallocation practices to reduce the risk of use-after-free vulnerabilities. The environment employs IPS/IDS and antimalware solutions to detect and prevent malicious code and provide real-time visibility into memory usage, lowering the risk of arbitrary code execution. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of denial-of-service (DoS) attacks. In the event of successful exploitation, process isolation prevents a compromised process from accessing memory freed by another, containing potential impact. Finally, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) enhance resilience against memory-related vulnerabilities.", "threat_severity": "Moderate"}

{}