Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-56642
PUBLISHED
More InfoOfficial Page
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
View Known Exploited Vulnerability (KEV) details
Published At-27 Dec, 2024 | 15:02
Updated At-03 Nov, 2025 | 20:51
Rejected At-
▼CVE Numbering Authority (CNA)
tipc: Fix use-after-free of kernel socket in cleanup_bearer().

In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free of kernel socket in cleanup_bearer(). syzkaller reported a use-after-free of UDP kernel socket in cleanup_bearer() without repro. [0][1] When bearer_disable() calls tipc_udp_disable(), cleanup of the UDP kernel socket is deferred by work calling cleanup_bearer(). tipc_exit_net() waits for such works to finish by checking tipc_net(net)->wq_count. However, the work decrements the count too early before releasing the kernel socket, unblocking cleanup_net() and resulting in use-after-free. Let's move the decrement after releasing the socket in cleanup_bearer(). [0]: ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at sk_alloc+0x438/0x608 inet_create+0x4c8/0xcb0 __sock_create+0x350/0x6b8 sock_create_kern+0x58/0x78 udp_sock_create4+0x68/0x398 udp_sock_create+0x88/0xc8 tipc_udp_enable+0x5e8/0x848 __tipc_nl_bearer_enable+0x84c/0xed8 tipc_nl_bearer_enable+0x38/0x60 genl_family_rcv_msg_doit+0x170/0x248 genl_rcv_msg+0x400/0x5b0 netlink_rcv_skb+0x1dc/0x398 genl_rcv+0x44/0x68 netlink_unicast+0x678/0x8b0 netlink_sendmsg+0x5e4/0x898 ____sys_sendmsg+0x500/0x830 [1]: BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline] BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 udp_hashslot include/net/udp.h:85 [inline] udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489 __sock_release net/socket.c:658 [inline] sock_release+0xa0/0x210 net/socket.c:686 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_free_hook mm/slub.c:2269 [inline] slab_free mm/slub.c:4580 [inline] kmem_cache_free+0x207/0xc40 mm/slub.c:4682 net_free net/core/net_namespace.c:454 [inline] cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391 kthread+0x531/0x6b0 kernel/kthread.c:389 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: events cleanup_bearer

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/tipc/udp_media.c
Default Status
unaffected
Versions
Affected
  • From d1f76dfadaf8f47ed1753f97dbcbd41c16215ffa before 4e69457f9dfae67435f3ccf29008768eae860415 (git)
  • From 5195ec5e365a2a9331bfeb585b613a6e94f98dba before 650ee9a22d7a2de8999fac2d45983597a0c22359 (git)
  • From 04c26faa51d1e2fe71cf13c45791f5174c37f986 before d2a4894f238551eae178904e7f45af87577074fd (git)
  • From 04c26faa51d1e2fe71cf13c45791f5174c37f986 before d62d5180c036eeac09f80660edc7a602b369125f (git)
  • From 04c26faa51d1e2fe71cf13c45791f5174c37f986 before d00d4470bf8c4282617a3a10e76b20a9c7e4cffa (git)
  • From 04c26faa51d1e2fe71cf13c45791f5174c37f986 before e48b211c4c59062cb6dd6c2c37c51a7cc235a464 (git)
  • From 04c26faa51d1e2fe71cf13c45791f5174c37f986 before 6a2fa13312e51a621f652d522d7e2df7066330b6 (git)
  • b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/tipc/udp_media.c
Default Status
affected
Versions
Affected
  • 5.13
Unaffected
  • From 0 before 5.13 (semver)
  • From 5.4.287 through 5.4.* (semver)
  • From 5.10.231 through 5.10.* (semver)
  • From 5.15.174 through 5.15.* (semver)
  • From 6.1.120 through 6.1.* (semver)
  • From 6.6.66 through 6.6.* (semver)
  • From 6.12.5 through 6.12.* (semver)
  • From 6.13 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415
N/A
https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359
N/A
https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd
N/A
https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f
N/A
https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
N/A
https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464
N/A
https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6
N/A
Hyperlink: https://git.kernel.org/stable/c/4e69457f9dfae67435f3ccf29008768eae860415
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/650ee9a22d7a2de8999fac2d45983597a0c22359
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d2a4894f238551eae178904e7f45af87577074fd
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d62d5180c036eeac09f80660edc7a602b369125f
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/d00d4470bf8c4282617a3a10e76b20a9c7e4cffa
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/e48b211c4c59062cb6dd6c2c37c51a7cc235a464
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/6a2fa13312e51a621f652d522d7e2df7066330b6
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-416CWE-416 Use After Free
Type: CWE
CWE ID: CWE-416
Description: CWE-416 Use After Free
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
N/A
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
Resource: N/A
Details not found