[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-35870":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":19,"related":20,"reserved_at":9,"published_at":21,"modified_at":22,"state":9,"summary":23,"references_raw":25,"kevs":32,"epss":9,"epss_history":33,"metrics":34,"affected":41},"DEBIAN-CVE-2024-35870","In the Linux kernel, the following vulnerability has been resolved:  smb: client: fix UAF in smb2_reconnect_server()  The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses().  This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING.  To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down.  The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc:  kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\\\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\\\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 \u003C48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace:  \u003CTASK>  ? die_addr+0x36/0x90  ? exc_general_protection+0x1c1/0x3f0  ? asm_exc_general_protection+0x26/0x30  ? __list_del_entry_valid_or_report+0x33/0xf0  __cifs_put_smb_ses+0x1ae/0x500 [cifs]  smb2_reconnect_server+0x4ed/0x710 [cifs]  process_one_work+0x205/0x6b0  worker_thread+0x191/0x360  ? __pfx_worker_thread+0x10/0x10  kthread+0xe2/0x110  ? __pfx_kthread+0x10/0x10  ret_from_fork+0x34/0x50  ? __pfx_kthread+0x10/0x10  ret_from_fork_asm+0x1a/0x30  \u003C/TASK>",null,[],[],[],[14],{"_key":15},"CVE-2024-35870",[17],{"_key":18},"DLA-4076-1",[],[],"2024-05-19T09:15:08.427Z","2026-04-28T20:28:00.111890Z",{"cisa_kev":24,"cisa_ransomware":24,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[26],{"url":27,"sources":28,"tags":30},"https://security-tracker.debian.org/tracker/CVE-2024-35870",[29],"osv_debian",[31],"Advisory",[],[],[35],{"source":29,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":36,"cvss_v4_0":9},{"baseScore":37,"baseSeverity":9,"vectorString":38,"impactScore":39,"exploitabilityScore":40},4.4,"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",6,2.1,[42,60],{"ecosystem":43,"name":44,"vendor":45,"product":44,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":44,"source":9,"versions":47},"Debian","linux","debian","deb",[48,52,56,59],{"version":49,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":53,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":55,"fixed_in":9},"lt6_1_123_1","6.1.123-1","excluding",{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},"lt6_8_9_1","6.8.9-1",{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},{"ecosystem":43,"name":61,"vendor":45,"product":61,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":61,"source":9,"versions":62},"linux-6.1",[63],{"version":64,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":65,"version_end_type":55,"fixed_in":9},"lt6_1_128_1~deb11u1","6.1.128-1~deb11u1"]