CVE-2024-44946 (GCVE-0-2024-44946)

Vulnerability from cvelistv5 – Published: 2024-08-31 13:22 – Updated: 2026-05-11 20:32
VLAI
Title
kcm: Serialise kcm_sendmsg() for the same socket.
Summary
In the Linux kernel, the following vulnerability has been resolved: kcm: Serialise kcm_sendmsg() for the same socket. syzkaller reported UAF in kcm_release(). [0] The scenario is 1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb. 2. Thread A resumes building skb from kcm->seq_skb but is blocked by sk_stream_wait_memory() 3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb and puts the skb to the write queue 4. Thread A faces an error and finally frees skb that is already in the write queue 5. kcm_release() does double-free the skb in the write queue When a thread is building a MSG_MORE skb, another thread must not touch it. Let's add a per-sk mutex and serialise kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor ---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 8c9cdbf600143bd6835c8b8351e5ac956da79aec (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 6633b17840bf828921254d788ccd15602843fe9b (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < eb06c8d3022ce6738711191c89f9b3e9cfb91914 (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < fa6c23fe6dcac8c8bd63920ee8681292a2bd544e (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 72da240aafb142630cf16adc803ccdacb3780849 (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 00425508f30baa5ab6449a1f478480ca7cffa6da (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 9c8d544ed619f704e2b70e63e08ab75630c2ea23 (git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 807067bf014d4a3ae2cc55bd3de16f22a01eb580 (git)
Create a notification for this product.
Linux Linux Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 4.19.321 , ≤ 4.19.* (semver)
Unaffected: 5.4.283 , ≤ 5.4.* (semver)
Unaffected: 5.10.225 , ≤ 5.10.* (semver)
Unaffected: 5.15.166 , ≤ 5.15.* (semver)
Unaffected: 6.1.107 , ≤ 6.1.* (semver)
Unaffected: 6.6.48 , ≤ 6.6.* (semver)
Unaffected: 6.10.7 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44946",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:27:06.483265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:16.399Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:13:51.524Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/kcm.h",
            "net/kcm/kcmsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c9cdbf600143bd6835c8b8351e5ac956da79aec",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "6633b17840bf828921254d788ccd15602843fe9b",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "eb06c8d3022ce6738711191c89f9b3e9cfb91914",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "fa6c23fe6dcac8c8bd63920ee8681292a2bd544e",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "72da240aafb142630cf16adc803ccdacb3780849",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "00425508f30baa5ab6449a1f478480ca7cffa6da",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "9c8d544ed619f704e2b70e63e08ab75630c2ea23",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            },
            {
              "lessThan": "807067bf014d4a3ae2cc55bd3de16f22a01eb580",
              "status": "affected",
              "version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/kcm.h",
            "net/kcm/kcmsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.321",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.283",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.225",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.166",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.107",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.321",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.283",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.225",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.166",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.107",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.48",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.7",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Serialise kcm_sendmsg() for the same socket.\n\nsyzkaller reported UAF in kcm_release(). [0]\n\nThe scenario is\n\n  1. Thread A builds a skb with MSG_MORE and sets kcm-\u003eseq_skb.\n\n  2. Thread A resumes building skb from kcm-\u003eseq_skb but is blocked\n     by sk_stream_wait_memory()\n\n  3. Thread B calls sendmsg() concurrently, finishes building kcm-\u003eseq_skb\n     and puts the skb to the write queue\n\n  4. Thread A faces an error and finally frees skb that is already in the\n     write queue\n\n  5. kcm_release() does double-free the skb in the write queue\n\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\n\nLet\u0027s add a per-sk mutex and serialise kcm_sendmsg().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\n\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall trace:\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x178/0x518 mm/kasan/report.c:488\n kasan_report+0xd8/0x138 mm/kasan/report.c:601\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n __skb_unlink include/linux/skbuff.h:2366 [inline]\n __skb_dequeue include/linux/skbuff.h:2385 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\n __skb_queue_purge include/linux/skbuff.h:3181 [inline]\n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\n __sock_release net/socket.c:659 [inline]\n sock_close+0xa4/0x1e8 net/socket.c:1421\n __fput+0x30c/0x738 fs/file_table.c:376\n ____fput+0x20/0x30 fs/file_table.c:404\n task_work_run+0x230/0x2e0 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x618/0x1f64 kernel/exit.c:871\n do_group_exit+0x194/0x22c kernel/exit.c:1020\n get_signal+0x1500/0x15ec kernel/signal.c:2893\n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nAllocated by task 6166:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\n alloc_skb include/linux/skbuff.h:1296 [inline]\n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n sock_sendmsg+0x220/0x2c0 net/socket.c:768\n splice_to_socket+0x7cc/0xd58 fs/splice.c:889\n do_splice_from fs/splice.c:941 [inline]\n direct_splice_actor+0xec/0x1d8 fs/splice.c:1164\n splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\n do_splice_direct_actor \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:32:31.932Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c9cdbf600143bd6835c8b8351e5ac956da79aec"
        },
        {
          "url": "https://git.kernel.org/stable/c/6633b17840bf828921254d788ccd15602843fe9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb06c8d3022ce6738711191c89f9b3e9cfb91914"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa6c23fe6dcac8c8bd63920ee8681292a2bd544e"
        },
        {
          "url": "https://git.kernel.org/stable/c/72da240aafb142630cf16adc803ccdacb3780849"
        },
        {
          "url": "https://git.kernel.org/stable/c/00425508f30baa5ab6449a1f478480ca7cffa6da"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c8d544ed619f704e2b70e63e08ab75630c2ea23"
        },
        {
          "url": "https://git.kernel.org/stable/c/807067bf014d4a3ae2cc55bd3de16f22a01eb580"
        }
      ],
      "title": "kcm: Serialise kcm_sendmsg() for the same socket.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44946",
    "datePublished": "2024-08-31T13:22:47.250Z",
    "dateReserved": "2024-08-21T05:34:56.665Z",
    "dateUpdated": "2026-05-11T20:32:31.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-44946",
      "date": "2026-06-09",
      "epss": "0.00231",
      "percentile": "0.46052"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.6\", \"versionEndExcluding\": \"6.1.107\", \"matchCriteriaId\": \"90446753-6047-4C19-AD2D-8691C846DDB3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.2\", \"versionEndExcluding\": \"6.6.48\", \"matchCriteriaId\": \"9DE9201A-CE6B-4726-BABB-8265EA0F8AE4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.10.7\", \"matchCriteriaId\": \"D2AFDFD1-D95A-4EB7-843B-5E7659518B67\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B3CE743-2126-47A3-8B7C-822B502CF119\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0005AEF-856E-47EB-BFE4-90C46899394D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"39889A68-6D34-47A6-82FC-CD0BF23D6754\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkcm: Serialise kcm_sendmsg() for the same socket.\\n\\nsyzkaller reported UAF in kcm_release(). [0]\\n\\nThe scenario is\\n\\n  1. Thread A builds a skb with MSG_MORE and sets kcm-\u003eseq_skb.\\n\\n  2. Thread A resumes building skb from kcm-\u003eseq_skb but is blocked\\n     by sk_stream_wait_memory()\\n\\n  3. Thread B calls sendmsg() concurrently, finishes building kcm-\u003eseq_skb\\n     and puts the skb to the write queue\\n\\n  4. Thread A faces an error and finally frees skb that is already in the\\n     write queue\\n\\n  5. kcm_release() does double-free the skb in the write queue\\n\\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\\n\\nLet\u0027s add a per-sk mutex and serialise kcm_sendmsg().\\n\\n[0]:\\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\\n\\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\\nCall trace:\\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x178/0x518 mm/kasan/report.c:488\\n kasan_report+0xd8/0x138 mm/kasan/report.c:601\\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\\n __skb_unlink include/linux/skbuff.h:2366 [inline]\\n __skb_dequeue include/linux/skbuff.h:2385 [inline]\\n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\\n __skb_queue_purge include/linux/skbuff.h:3181 [inline]\\n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xa4/0x1e8 net/socket.c:1421\\n __fput+0x30c/0x738 fs/file_table.c:376\\n ____fput+0x20/0x30 fs/file_table.c:404\\n task_work_run+0x230/0x2e0 kernel/task_work.c:180\\n exit_task_work include/linux/task_work.h:38 [inline]\\n do_exit+0x618/0x1f64 kernel/exit.c:871\\n do_group_exit+0x194/0x22c kernel/exit.c:1020\\n get_signal+0x1500/0x15ec kernel/signal.c:2893\\n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\\n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\\n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\\n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\\n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\\n\\nAllocated by task 6166:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\\n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\\n unpoison_slab_object mm/kasan/common.c:314 [inline]\\n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\\n slab_post_alloc_hook mm/slub.c:3813 [inline]\\n slab_alloc_node mm/slub.c:3860 [inline]\\n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\\n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\\n alloc_skb include/linux/skbuff.h:1296 [inline]\\n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n sock_sendmsg+0x220/0x2c0 net/socket.c:768\\n splice_to_socket+0x7cc/0xd58 fs/splice.c:889\\n do_splice_from fs/splice.c:941 [inline]\\n direct_splice_actor+0xec/0x1d8 fs/splice.c:1164\\n splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\\n do_splice_direct_actor \\n---truncated---\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: kcm: serializar kcm_sendmsg() para el mismo socket. syzkaller inform\\u00f3 de UAF en kcm_release(). [0] El escenario es 1. El hilo A crea un skb con MSG_MORE y establece kcm-\u0026gt;seq_skb. 2. El hilo A reanuda la creaci\\u00f3n de skb desde kcm-\u0026gt;seq_skb, pero es bloqueado por sk_stream_wait_memory() 3. El hilo B llama a sendmsg() simult\\u00e1neamente, termina de crear kcm-\u0026gt;seq_skb y coloca el skb en la cola de escritura 4. El hilo A enfrenta un error y finalmente libera el skb que ya est\\u00e1 en la cola de escritura 5. kcm_release() libera dos veces el skb en la cola de escritura Cuando un hilo est\\u00e1 creando un skb MSG_MORE, otro hilo no debe tocarlo. Agreguemos un mutex por sk y serialicemos kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor  ---truncado---\"}]",
      "id": "CVE-2024-44946",
      "lastModified": "2024-09-04T12:15:05.150",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-08-31T14:15:04.320",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/00425508f30baa5ab6449a1f478480ca7cffa6da\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/6633b17840bf828921254d788ccd15602843fe9b\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/72da240aafb142630cf16adc803ccdacb3780849\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/807067bf014d4a3ae2cc55bd3de16f22a01eb580\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/8c9cdbf600143bd6835c8b8351e5ac956da79aec\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/9c8d544ed619f704e2b70e63e08ab75630c2ea23\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/eb06c8d3022ce6738711191c89f9b3e9cfb91914\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/fa6c23fe6dcac8c8bd63920ee8681292a2bd544e\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-44946\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-31T14:15:04.320\",\"lastModified\":\"2025-11-03T23:15:43.513\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkcm: Serialise kcm_sendmsg() for the same socket.\\n\\nsyzkaller reported UAF in kcm_release(). [0]\\n\\nThe scenario is\\n\\n  1. Thread A builds a skb with MSG_MORE and sets kcm-\u003eseq_skb.\\n\\n  2. Thread A resumes building skb from kcm-\u003eseq_skb but is blocked\\n     by sk_stream_wait_memory()\\n\\n  3. Thread B calls sendmsg() concurrently, finishes building kcm-\u003eseq_skb\\n     and puts the skb to the write queue\\n\\n  4. Thread A faces an error and finally frees skb that is already in the\\n     write queue\\n\\n  5. kcm_release() does double-free the skb in the write queue\\n\\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\\n\\nLet\u0027s add a per-sk mutex and serialise kcm_sendmsg().\\n\\n[0]:\\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\\n\\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\\nCall trace:\\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x178/0x518 mm/kasan/report.c:488\\n kasan_report+0xd8/0x138 mm/kasan/report.c:601\\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\\n __skb_unlink include/linux/skbuff.h:2366 [inline]\\n __skb_dequeue include/linux/skbuff.h:2385 [inline]\\n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\\n __skb_queue_purge include/linux/skbuff.h:3181 [inline]\\n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xa4/0x1e8 net/socket.c:1421\\n __fput+0x30c/0x738 fs/file_table.c:376\\n ____fput+0x20/0x30 fs/file_table.c:404\\n task_work_run+0x230/0x2e0 kernel/task_work.c:180\\n exit_task_work include/linux/task_work.h:38 [inline]\\n do_exit+0x618/0x1f64 kernel/exit.c:871\\n do_group_exit+0x194/0x22c kernel/exit.c:1020\\n get_signal+0x1500/0x15ec kernel/signal.c:2893\\n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\\n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\\n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\\n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\\n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\\n\\nAllocated by task 6166:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\\n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\\n unpoison_slab_object mm/kasan/common.c:314 [inline]\\n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\\n slab_post_alloc_hook mm/slub.c:3813 [inline]\\n slab_alloc_node mm/slub.c:3860 [inline]\\n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\\n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\\n alloc_skb include/linux/skbuff.h:1296 [inline]\\n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n sock_sendmsg+0x220/0x2c0 net/socket.c:768\\n splice_to_socket+0x7cc/0xd58 fs/splice.c:889\\n do_splice_from fs/splice.c:941 [inline]\\n direct_splice_actor+0xec/0x1d8 fs/splice.c:1164\\n splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\\n do_splice_direct_actor \\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: kcm: serializar kcm_sendmsg() para el mismo socket. syzkaller inform\u00f3 de UAF en kcm_release(). [0] El escenario es 1. El hilo A crea un skb con MSG_MORE y establece kcm-\u0026gt;seq_skb. 2. El hilo A reanuda la creaci\u00f3n de skb desde kcm-\u0026gt;seq_skb, pero es bloqueado por sk_stream_wait_memory() 3. El hilo B llama a sendmsg() simult\u00e1neamente, termina de crear kcm-\u0026gt;seq_skb y coloca el skb en la cola de escritura 4. El hilo A enfrenta un error y finalmente libera el skb que ya est\u00e1 en la cola de escritura 5. kcm_release() libera dos veces el skb en la cola de escritura Cuando un hilo est\u00e1 creando un skb MSG_MORE, otro hilo no debe tocarlo. Agreguemos un mutex por sk y serialicemos kcm_sendmsg(). [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167 CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __skb_unlink include/linux/skbuff.h:2366 [inline] __skb_dequeue include/linux/skbuff.h:2385 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] __skb_queue_purge include/linux/skbuff.h:3181 [inline] kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 __sock_release net/socket.c:659 [inline] sock_close+0xa4/0x1e8 net/socket.c:1421 __fput+0x30c/0x738 fs/file_table.c:376 ____fput+0x20/0x30 fs/file_table.c:404 task_work_run+0x230/0x2e0 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x618/0x1f64 kernel/exit.c:871 do_group_exit+0x194/0x22c kernel/exit.c:1020 get_signal+0x1500/0x15ec kernel/signal.c:2893 do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 6166: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1296 [inline] kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x220/0x2c0 net/socket.c:768 splice_to_socket+0x7cc/0xd58 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0xec/0x1d8 fs/splice.c:1164 splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108 do_splice_direct_actor  ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.6\",\"versionEndExcluding\":\"6.1.107\",\"matchCriteriaId\":\"90446753-6047-4C19-AD2D-8691C846DDB3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.48\",\"matchCriteriaId\":\"9DE9201A-CE6B-4726-BABB-8265EA0F8AE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.7\",\"matchCriteriaId\":\"D2AFDFD1-D95A-4EB7-843B-5E7659518B67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/00425508f30baa5ab6449a1f478480ca7cffa6da\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6633b17840bf828921254d788ccd15602843fe9b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72da240aafb142630cf16adc803ccdacb3780849\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/807067bf014d4a3ae2cc55bd3de16f22a01eb580\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8c9cdbf600143bd6835c8b8351e5ac956da79aec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9c8d544ed619f704e2b70e63e08ab75630c2ea23\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/eb06c8d3022ce6738711191c89f9b3e9cfb91914\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fa6c23fe6dcac8c8bd63920ee8681292a2bd544e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:13:51.524Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-44946\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:27:06.483265Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:19.197Z\"}}], \"cna\": {\"title\": \"kcm: Serialise kcm_sendmsg() for the same socket.\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"8c9cdbf600143bd6835c8b8351e5ac956da79aec\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"6633b17840bf828921254d788ccd15602843fe9b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"eb06c8d3022ce6738711191c89f9b3e9cfb91914\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"fa6c23fe6dcac8c8bd63920ee8681292a2bd544e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"72da240aafb142630cf16adc803ccdacb3780849\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"00425508f30baa5ab6449a1f478480ca7cffa6da\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"9c8d544ed619f704e2b70e63e08ab75630c2ea23\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ab7ac4eb9832e32a09f4e8042705484d2fb0aad3\", \"lessThan\": \"807067bf014d4a3ae2cc55bd3de16f22a01eb580\", \"versionType\": \"git\"}], \"programFiles\": [\"include/net/kcm.h\", \"net/kcm/kcmsock.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.6\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.321\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.283\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.225\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.166\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.107\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.48\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"include/net/kcm.h\", \"net/kcm/kcmsock.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/8c9cdbf600143bd6835c8b8351e5ac956da79aec\"}, {\"url\": \"https://git.kernel.org/stable/c/6633b17840bf828921254d788ccd15602843fe9b\"}, {\"url\": \"https://git.kernel.org/stable/c/eb06c8d3022ce6738711191c89f9b3e9cfb91914\"}, {\"url\": \"https://git.kernel.org/stable/c/fa6c23fe6dcac8c8bd63920ee8681292a2bd544e\"}, {\"url\": \"https://git.kernel.org/stable/c/72da240aafb142630cf16adc803ccdacb3780849\"}, {\"url\": \"https://git.kernel.org/stable/c/00425508f30baa5ab6449a1f478480ca7cffa6da\"}, {\"url\": \"https://git.kernel.org/stable/c/9c8d544ed619f704e2b70e63e08ab75630c2ea23\"}, {\"url\": \"https://git.kernel.org/stable/c/807067bf014d4a3ae2cc55bd3de16f22a01eb580\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkcm: Serialise kcm_sendmsg() for the same socket.\\n\\nsyzkaller reported UAF in kcm_release(). [0]\\n\\nThe scenario is\\n\\n  1. Thread A builds a skb with MSG_MORE and sets kcm-\u003eseq_skb.\\n\\n  2. Thread A resumes building skb from kcm-\u003eseq_skb but is blocked\\n     by sk_stream_wait_memory()\\n\\n  3. Thread B calls sendmsg() concurrently, finishes building kcm-\u003eseq_skb\\n     and puts the skb to the write queue\\n\\n  4. Thread A faces an error and finally frees skb that is already in the\\n     write queue\\n\\n  5. kcm_release() does double-free the skb in the write queue\\n\\nWhen a thread is building a MSG_MORE skb, another thread must not touch it.\\n\\nLet\u0027s add a per-sk mutex and serialise kcm_sendmsg().\\n\\n[0]:\\nBUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\\nBUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline]\\nBUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\\nRead of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167\\n\\nCPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\\nCall trace:\\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291\\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:377 [inline]\\n print_report+0x178/0x518 mm/kasan/report.c:488\\n kasan_report+0xd8/0x138 mm/kasan/report.c:601\\n __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\\n __skb_unlink include/linux/skbuff.h:2366 [inline]\\n __skb_dequeue include/linux/skbuff.h:2385 [inline]\\n __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]\\n __skb_queue_purge include/linux/skbuff.h:3181 [inline]\\n kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691\\n __sock_release net/socket.c:659 [inline]\\n sock_close+0xa4/0x1e8 net/socket.c:1421\\n __fput+0x30c/0x738 fs/file_table.c:376\\n ____fput+0x20/0x30 fs/file_table.c:404\\n task_work_run+0x230/0x2e0 kernel/task_work.c:180\\n exit_task_work include/linux/task_work.h:38 [inline]\\n do_exit+0x618/0x1f64 kernel/exit.c:871\\n do_group_exit+0x194/0x22c kernel/exit.c:1020\\n get_signal+0x1500/0x15ec kernel/signal.c:2893\\n do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249\\n do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148\\n exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]\\n exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]\\n el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713\\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\\n\\nAllocated by task 6166:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\\n kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626\\n unpoison_slab_object mm/kasan/common.c:314 [inline]\\n __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340\\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\\n slab_post_alloc_hook mm/slub.c:3813 [inline]\\n slab_alloc_node mm/slub.c:3860 [inline]\\n kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903\\n __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641\\n alloc_skb include/linux/skbuff.h:1296 [inline]\\n kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783\\n sock_sendmsg_nosec net/socket.c:730 [inline]\\n __sock_sendmsg net/socket.c:745 [inline]\\n sock_sendmsg+0x220/0x2c0 net/socket.c:768\\n splice_to_socket+0x7cc/0xd58 fs/splice.c:889\\n do_splice_from fs/splice.c:941 [inline]\\n direct_splice_actor+0xec/0x1d8 fs/splice.c:1164\\n splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108\\n do_splice_direct_actor \\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.321\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.283\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.225\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.166\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.107\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.48\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.7\", \"versionStartIncluding\": \"4.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"4.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:32:31.932Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-44946\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:32:31.932Z\", \"dateReserved\": \"2024-08-21T05:34:56.665Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-08-31T13:22:47.250Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.