CVE-2024-46786

Advisory lineage Upstream: 0 Downstream: 21

Downstream

DEBIAN-CVE-2024-46786 DLA-4476-1 DSA-6127-1 MGASA-2024-0316 MGASA-2024-0318 RHSA-2025:6966

Analyzed

Published: 18 Sept 2024, 07:12

Last modified:11 May 2026, 20:36

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

18 Sept 2024, 07:12

Published

Vulnerability first disclosed

11 May 2026, 20:36

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.01%• Percentile: 2%

Techniques & Countermeasures

CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

linux•linux
≥ 12bb21a29c19aae50cfad4e2bb5c943108f34a7d, < c1fc36d5470335546c45799d94d7bb2cbc09e8b7 | ≥ 12bb21a29c19aae50cfad4e2bb5c943108f34a7d, < e0d724932ad12e3528f4ce97fc0f6078d0cce4bc | ≥ 12bb21a29c19aae50cfad4e2bb5c943108f34a7d, < 0a11262549ac2ac6fb98c7cd40a67136817e5a52 | ≥ 12bb21a29c19aae50cfad4e2bb5c943108f34a7d, < 72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f | 5.17
linux•linux_kernel
≥ 5.17, < 6.6.51 | ≥ 5.17, < 6.1.160 | ≥ 6.2, < 6.6.51 | ≥ 6.7, < 6.10.10 | 6.11:rc1 | 6.11:rc2 | 6.11:rc3 | 6.11:rc4 | 6.11:rc5 | 6.11:rc6