CVE-2024-46762 (GCVE-0-2024-46762)

Vulnerability from cvelistv5 – Published: 2024-09-18 07:12 – Updated: 2026-05-11 20:35
VLAI
Title
xen: privcmd: Fix possible access to a freed kirqfd instance
Summary
In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6 , < e997b357b13a7d95de31681fc54fcc34235fa527 (git)
Affected: f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6 , < 112fd2f02b308564724b8e81006c254d20945c4b (git)
Affected: f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6 , < 611ff1b1ae989a7bcce3e2a8e132ee30e968c557 (git)
Create a notification for this product.
Linux Linux Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.51 , ≤ 6.6.* (semver)
Unaffected: 6.10.10 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:43:33.478974Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T14:43:47.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/privcmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e997b357b13a7d95de31681fc54fcc34235fa527",
              "status": "affected",
              "version": "f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6",
              "versionType": "git"
            },
            {
              "lessThan": "112fd2f02b308564724b8e81006c254d20945c4b",
              "status": "affected",
              "version": "f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6",
              "versionType": "git"
            },
            {
              "lessThan": "611ff1b1ae989a7bcce3e2a8e132ee30e968c557",
              "status": "affected",
              "version": "f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/privcmd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: privcmd: Fix possible access to a freed kirqfd instance\n\nNothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and\nprivcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd\ncreated and added to the irqfds_list by privcmd_irqfd_assign() may get\nremoved by another thread executing privcmd_irqfd_deassign(), while the\nformer is still using it after dropping the locks.\n\nThis can lead to a situation where an already freed kirqfd instance may\nbe accessed and cause kernel oops.\n\nUse SRCU locking to prevent the same, as is done for the KVM\nimplementation for irqfds."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:35:51.620Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527"
        },
        {
          "url": "https://git.kernel.org/stable/c/112fd2f02b308564724b8e81006c254d20945c4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/611ff1b1ae989a7bcce3e2a8e132ee30e968c557"
        }
      ],
      "title": "xen: privcmd: Fix possible access to a freed kirqfd instance",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46762",
    "datePublished": "2024-09-18T07:12:21.854Z",
    "dateReserved": "2024-09-11T15:12:18.272Z",
    "dateUpdated": "2026-05-11T20:35:51.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-46762",
      "date": "2026-06-08",
      "epss": "0.00017",
      "percentile": "0.04562"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.6.51\", \"matchCriteriaId\": \"D4954ED0-8229-4D57-B4B3-CB5154734977\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.10.10\", \"matchCriteriaId\": \"ACDEE48C-137A-4731-90D0-A675865E1BED\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen: privcmd: Fix possible access to a freed kirqfd instance\\n\\nNothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and\\nprivcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd\\ncreated and added to the irqfds_list by privcmd_irqfd_assign() may get\\nremoved by another thread executing privcmd_irqfd_deassign(), while the\\nformer is still using it after dropping the locks.\\n\\nThis can lead to a situation where an already freed kirqfd instance may\\nbe accessed and cause kernel oops.\\n\\nUse SRCU locking to prevent the same, as is done for the KVM\\nimplementation for irqfds.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xen: privcmd: Fix possible access to a freed kirqfd instance Nada impide llamadas ioctl simult\\u00e1neas a privcmd_irqfd_assign() y privcmd_irqfd_deassign(). Si eso sucede, es posible que un kirqfd creado y agregado a la irqfds_list por privcmd_irqfd_assign() pueda ser eliminado por otro hilo que ejecuta privcmd_irqfd_deassign(), mientras que el primero todav\\u00eda lo est\\u00e1 usando despu\\u00e9s de eliminar los bloqueos. Esto puede llevar a una situaci\\u00f3n en la que se puede acceder a una instancia kirqfd ya liberada y causar errores del kernel. Use el bloqueo SRCU para evitar lo mismo, como se hace para la implementaci\\u00f3n de KVM para irqfds.\"}]",
      "id": "CVE-2024-46762",
      "lastModified": "2024-09-23T16:12:34.420",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-09-18T08:15:04.570",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/112fd2f02b308564724b8e81006c254d20945c4b\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/611ff1b1ae989a7bcce3e2a8e132ee30e968c557\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-46762\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-18T08:15:04.570\",\"lastModified\":\"2024-09-23T16:12:34.420\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen: privcmd: Fix possible access to a freed kirqfd instance\\n\\nNothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and\\nprivcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd\\ncreated and added to the irqfds_list by privcmd_irqfd_assign() may get\\nremoved by another thread executing privcmd_irqfd_deassign(), while the\\nformer is still using it after dropping the locks.\\n\\nThis can lead to a situation where an already freed kirqfd instance may\\nbe accessed and cause kernel oops.\\n\\nUse SRCU locking to prevent the same, as is done for the KVM\\nimplementation for irqfds.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xen: privcmd: Fix possible access to a freed kirqfd instance Nada impide llamadas ioctl simult\u00e1neas a privcmd_irqfd_assign() y privcmd_irqfd_deassign(). Si eso sucede, es posible que un kirqfd creado y agregado a la irqfds_list por privcmd_irqfd_assign() pueda ser eliminado por otro hilo que ejecuta privcmd_irqfd_deassign(), mientras que el primero todav\u00eda lo est\u00e1 usando despu\u00e9s de eliminar los bloqueos. Esto puede llevar a una situaci\u00f3n en la que se puede acceder a una instancia kirqfd ya liberada y causar errores del kernel. Use el bloqueo SRCU para evitar lo mismo, como se hace para la implementaci\u00f3n de KVM para irqfds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"D4954ED0-8229-4D57-B4B3-CB5154734977\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"ACDEE48C-137A-4731-90D0-A675865E1BED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/112fd2f02b308564724b8e81006c254d20945c4b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/611ff1b1ae989a7bcce3e2a8e132ee30e968c557\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-46762\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-29T14:43:33.478974Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-29T14:43:37.649Z\"}}], \"cna\": {\"title\": \"xen: privcmd: Fix possible access to a freed kirqfd instance\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6\", \"lessThan\": \"e997b357b13a7d95de31681fc54fcc34235fa527\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6\", \"lessThan\": \"112fd2f02b308564724b8e81006c254d20945c4b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f8941e6c4c712948663ec5d7bbb546f1a0f4e3f6\", \"lessThan\": \"611ff1b1ae989a7bcce3e2a8e132ee30e968c557\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/xen/privcmd.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.6\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.6\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.51\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/xen/privcmd.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/e997b357b13a7d95de31681fc54fcc34235fa527\"}, {\"url\": \"https://git.kernel.org/stable/c/112fd2f02b308564724b8e81006c254d20945c4b\"}, {\"url\": \"https://git.kernel.org/stable/c/611ff1b1ae989a7bcce3e2a8e132ee30e968c557\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen: privcmd: Fix possible access to a freed kirqfd instance\\n\\nNothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and\\nprivcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd\\ncreated and added to the irqfds_list by privcmd_irqfd_assign() may get\\nremoved by another thread executing privcmd_irqfd_deassign(), while the\\nformer is still using it after dropping the locks.\\n\\nThis can lead to a situation where an already freed kirqfd instance may\\nbe accessed and cause kernel oops.\\n\\nUse SRCU locking to prevent the same, as is done for the KVM\\nimplementation for irqfds.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.51\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.10\", \"versionStartIncluding\": \"6.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-01-05T11:37:37.901Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-46762\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-05T11:37:37.901Z\", \"dateReserved\": \"2024-09-11T15:12:18.272Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-18T07:12:21.854Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.