Use-after-free in Linux kernel mm
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-43888 |
| CWE-ID | CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Linux kernel Operating systems & Components / Operating system |
| Vendor | Linux Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Use-after-free
EUVDB-ID: #VU96513
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-43888
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the list_lru_from_memcg_idx() and EXPORT_SYMBOL_GPL() functions in mm/list_lru.c. A local user can escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsLinux kernel: 6.10 - 6.10.4
CPE2.3- cpe:2.3:o:linux_foundation:linux_kernel:6.10:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.10.1:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.10.2:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.10.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux_foundation:linux_kernel:6.10.4:*:*:*:*:*:*:*
https://git.kernel.org/stable/c/4589f77c18dd98b65f45617b6d1e95313cf6fcab
https://git.kernel.org/stable/c/5161b48712dcd08ec427c450399d4d1483e21dea
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.10.5
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.11
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
