CVE-2024-26974

7.0

HIGH

Intel Qat Use-After-Free Vulnerability

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - resolve race condition during AER recovery During the PCI AER system's error recovery process, the kernel driver may encounter a race condition with freeing the reset_data structure's memory. If the device restart will take more than 10 seconds the function scheduling that restart will exit due to a timeout, and the reset_data structure will be freed. However, this data structure is used for completion notification after the restart is completed, which leads to a UAF bug. This results in a KFENCE bug notice. BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat] Use-after-free read at 0x00000000bc56fddf (in kfence-#142): adf_device_reset_worker+0x38/0xa0 [intel_qat] process_one_work+0x173/0x340 To resolve this race condition, the memory associated to the container of the work_struct is freed on the worker if the timeout expired, otherwise on the function that schedules the worker. The timeout detection can be done by checking if the caller is still waiting for completion or not by using completion_done() function.

INFO

Published Date :

May 1, 2024, 6:15 a.m.

Last Modified :

Dec. 23, 2024, 2 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.0

Affected Products

The following products are affected by CVE-2024-26974 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product	Action
1	Linux	linux_kernel
1	Debian	debian_linux

: Total Affected Vendor : 2 | Products : 2

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-26974.

URL	Resource
https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be	Patch
https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7	Patch
https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f	Patch
https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c	Patch
https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc	Patch
https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81	Patch
https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828	Patch
https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71	Patch
https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7	Patch
https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be	Patch
https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7	Patch
https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f	Patch
https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c	Patch
https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc	Patch
https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81	Patch
https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828	Patch
https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71	Patch
https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html	Mailing List Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-26974 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-26974 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

Initial Analysis by [email protected]

Dec. 23, 2024

CVE Modified by af854a3a-2127-422b-91ae-364da2661108

Nov. 21, 2024

Action	Type	New Value
Added	Reference	https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be
Added	Reference	https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7
Added	Reference	https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f
Added	Reference	https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c
Added	Reference	https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc
Added	Reference	https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81
Added	Reference	https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828
Added	Reference	https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71
Added	Reference	https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7
Added	Reference	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Added	Reference	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Nov. 05, 2024

Action	Type	Old Value	New Value
Removed	Reference	kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Removed	Reference	kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Jun. 27, 2024

Action	Type	Old Value	New Value
Added	Reference		kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Jun. 25, 2024

Action	Type	Old Value	New Value
Added	Reference		kernel.org https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html [No types assigned]

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

May. 29, 2024

Action	Type	Old Value	New Value

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

May. 14, 2024

Action	Type	Old Value	New Value

CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

May. 01, 2024

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: crypto: qat - resolve race condition during AER recovery During the PCI AER system's error recovery process, the kernel driver may encounter a race condition with freeing the reset_data structure's memory. If the device restart will take more than 10 seconds the function scheduling that restart will exit due to a timeout, and the reset_data structure will be freed. However, this data structure is used for completion notification after the restart is completed, which leads to a UAF bug. This results in a KFENCE bug notice. BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat] Use-after-free read at 0x00000000bc56fddf (in kfence-#142): adf_device_reset_worker+0x38/0xa0 [intel_qat] process_one_work+0x173/0x340 To resolve this race condition, the memory associated to the container of the work_struct is freed on the worker if the timeout expired, otherwise on the function that schedules the worker. The timeout detection can be done by checking if the caller is still waiting for completion or not by using completion_done() function.
Added	Reference	kernel.org https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828 [No types assigned]
Added	Reference	kernel.org https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c [No types assigned]

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-26974 is associated with the following CWEs:

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-416: Use After Free

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-26974 weaknesses.

CAPEC-27: Leveraging Race Conditions via Symbolic Links Leveraging Race Conditions via Symbolic Links CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-367
Added	CWE		NIST CWE-416
Added	CPE Configuration		OR cpe:2.3:o:debian:debian_linux:10.0:::::::
Added	CPE Configuration		OR cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 3.17 up to (excluding) 4.19.312 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 4.20 up to (excluding) 5.4.274 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.5 up to (excluding) 5.10.215 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.11 up to (excluding) 5.15.154 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.16 up to (excluding) 6.1.84 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.24 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.7.12 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.8 up to (excluding) 6.8.3
Changed	Reference Type	https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be No Types Assigned	https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be Patch
Changed	Reference Type	https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be No Types Assigned	https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be Patch
Changed	Reference Type	https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 No Types Assigned	https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 No Types Assigned	https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f No Types Assigned	https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f Patch
Changed	Reference Type	https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f No Types Assigned	https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f Patch
Changed	Reference Type	https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c No Types Assigned	https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c Patch
Changed	Reference Type	https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c No Types Assigned	https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c Patch
Changed	Reference Type	https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc No Types Assigned	https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc Patch
Changed	Reference Type	https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc No Types Assigned	https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc Patch
Changed	Reference Type	https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81 No Types Assigned	https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81 No Types Assigned	https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828 No Types Assigned	https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828 No Types Assigned	https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71 No Types Assigned	https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71 No Types Assigned	https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7 No Types Assigned	https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7 No Types Assigned	https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7 Patch
Changed	Reference Type	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html No Types Assigned	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Mailing List, Third Party Advisory
Changed	Reference Type	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html No Types Assigned	https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Mailing List, Third Party Advisory

CVE-2024-26974

Intel Qat Use-After-Free Vulnerability

Description

INFO

May 1, 2024, 6:15 a.m.

Dec. 23, 2024, 2 p.m.

416baaa9-dc9f-4396-8d5f-8c081fb06d67

No

5.9

1.0

Affected Products

References to Advisories, Solutions, and Tools

Initial Analysis by [email protected]

CVE Modified by af854a3a-2127-422b-91ae-364da2661108

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CWE - Common Weakness Enumeration

Common Attack Pattern Enumeration and Classification (CAPEC)

CVSS31 - Vulnerability Scoring System

Theme Customizer

Layout

Vertical

Horizontal

Two Column

Color Scheme

Light

Dark

Layout Width

Fluid

Boxed

Layout Position

Topbar Color

Light

Dark

Sidebar Size

Default

Compact

Small (Icon View)

Small Hover View

Sidebar View

Default

Detached

Sidebar Color

Light

Dark

Gradient

Preloader

Enable

Disable