[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-44946":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":23,"related":24,"reserved_at":9,"published_at":25,"modified_at":26,"state":9,"summary":27,"references_raw":29,"kevs":36,"epss":9,"epss_history":37,"metrics":38,"affected":45},"DEBIAN-CVE-2024-44946","In the Linux kernel, the following vulnerability has been resolved:  kcm: Serialise kcm_sendmsg() for the same socket.  syzkaller reported UAF in kcm_release(). [0]  The scenario is    1. Thread A builds a skb with MSG_MORE and sets kcm->seq_skb.    2. Thread A resumes building skb from kcm->seq_skb but is blocked      by sk_stream_wait_memory()    3. Thread B calls sendmsg() concurrently, finishes building kcm->seq_skb      and puts the skb to the write queue    4. Thread A faces an error and finally frees skb that is already in the      write queue    5. kcm_release() does double-free the skb in the write queue  When a thread is building a MSG_MORE skb, another thread must not touch it.  Let's add a per-sk mutex and serialise kcm_sendmsg().  [0]: BUG: KASAN: slab-use-after-free in __skb_unlink include/linux/skbuff.h:2366 [inline] BUG: KASAN: slab-use-after-free in __skb_dequeue include/linux/skbuff.h:2385 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline] BUG: KASAN: slab-use-after-free in __skb_queue_purge include/linux/skbuff.h:3181 [inline] BUG: KASAN: slab-use-after-free in kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691 Read of size 8 at addr ffff0000ced0fc80 by task syz-executor329/6167  CPU: 1 PID: 6167 Comm: syz-executor329 Tainted: G    B              6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call trace:  dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291  show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298  __dump_stack lib/dump_stack.c:88 [inline]  dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106  print_address_description mm/kasan/report.c:377 [inline]  print_report+0x178/0x518 mm/kasan/report.c:488  kasan_report+0xd8/0x138 mm/kasan/report.c:601  __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381  __skb_unlink include/linux/skbuff.h:2366 [inline]  __skb_dequeue include/linux/skbuff.h:2385 [inline]  __skb_queue_purge_reason include/linux/skbuff.h:3175 [inline]  __skb_queue_purge include/linux/skbuff.h:3181 [inline]  kcm_release+0x170/0x4c8 net/kcm/kcmsock.c:1691  __sock_release net/socket.c:659 [inline]  sock_close+0xa4/0x1e8 net/socket.c:1421  __fput+0x30c/0x738 fs/file_table.c:376  ____fput+0x20/0x30 fs/file_table.c:404  task_work_run+0x230/0x2e0 kernel/task_work.c:180  exit_task_work include/linux/task_work.h:38 [inline]  do_exit+0x618/0x1f64 kernel/exit.c:871  do_group_exit+0x194/0x22c kernel/exit.c:1020  get_signal+0x1500/0x15ec kernel/signal.c:2893  do_signal+0x23c/0x3b44 arch/arm64/kernel/signal.c:1249  do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148  exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]  exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]  el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598  Allocated by task 6166:  kasan_save_stack mm/kasan/common.c:47 [inline]  kasan_save_track+0x40/0x78 mm/kasan/common.c:68  kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626  unpoison_slab_object mm/kasan/common.c:314 [inline]  __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340  kasan_slab_alloc include/linux/kasan.h:201 [inline]  slab_post_alloc_hook mm/slub.c:3813 [inline]  slab_alloc_node mm/slub.c:3860 [inline]  kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903  __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641  alloc_skb include/linux/skbuff.h:1296 [inline]  kcm_sendmsg+0x1d3c/0x2124 net/kcm/kcmsock.c:783  sock_sendmsg_nosec net/socket.c:730 [inline]  __sock_sendmsg net/socket.c:745 [inline]  sock_sendmsg+0x220/0x2c0 net/socket.c:768  splice_to_socket+0x7cc/0xd58 fs/splice.c:889  do_splice_from fs/splice.c:941 [inline]  direct_splice_actor+0xec/0x1d8 fs/splice.c:1164  splice_direct_to_actor+0x438/0xa0c fs/splice.c:1108  do_splice_direct_actor  ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2024-44946",[17,19,21],{"_key":18},"DLA-3912-1",{"_key":20},"DLA-4008-1",{"_key":22},"DSA-5782-1",[],[],"2024-08-31T14:15:04.320Z","2026-04-28T20:28:30.234628Z",{"cisa_kev":28,"cisa_ransomware":28,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[30],{"url":31,"sources":32,"tags":34},"https://security-tracker.debian.org/tracker/CVE-2024-44946",[33],"osv_debian",[35],"Advisory",[],[],[39],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":40,"cvss_v4_0":9},{"baseScore":41,"baseSeverity":9,"vectorString":42,"impactScore":43,"exploitabilityScore":44},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[46,65],{"ecosystem":47,"name":48,"vendor":49,"product":48,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":48,"source":9,"versions":51},"Debian","linux","debian","deb",[52,58,61,64],{"version":53,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt5_10_226_1",true,"ecosystem","5.10.226-1","excluding",{"version":59,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_1_112_1","6.1.112-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},"lt6_10_7_1","6.10.7-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},{"ecosystem":47,"name":66,"vendor":49,"product":66,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":66,"source":9,"versions":67},"linux-6.1",[68],{"version":69,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":70,"version_end_type":57,"fixed_in":9},"lt6_1_119_1~deb11u1","6.1.119-1~deb11u1"]