[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-53168":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2024-53168","In the Linux kernel, the following vulnerability has been resolved:  sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket  BUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0 Read of size 1 at addr ffff888111f322cd by task swapper/0/0  CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 Call Trace:  \u003CIRQ>  dump_stack_lvl+0x68/0xa0  print_address_description.constprop.0+0x2c/0x3d0  print_report+0xb4/0x270  kasan_report+0xbd/0xf0  tcp_write_timer_handler+0x156/0x3e0  tcp_write_timer+0x66/0x170  call_timer_fn+0xfb/0x1d0  __run_timers+0x3f8/0x480  run_timer_softirq+0x9b/0x100  handle_softirqs+0x153/0x390  __irq_exit_rcu+0x103/0x120  irq_exit_rcu+0xe/0x20  sysvec_apic_timer_interrupt+0x76/0x90  \u003C/IRQ>  \u003CTASK>  asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90  90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 \u003Cfa> c3 cc cc cc  cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffffa2007e28 EFLAGS: 00000242 RAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d R10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0  default_idle_call+0x6b/0xa0  cpuidle_idle_call+0x1af/0x1f0  do_idle+0xbc/0x130  cpu_startup_entry+0x33/0x40  rest_init+0x11f/0x210  start_kernel+0x39a/0x420  x86_64_start_reservations+0x18/0x30  x86_64_start_kernel+0x97/0xa0  common_startup_64+0x13e/0x141  \u003C/TASK>  Allocated by task 595:  kasan_save_stack+0x24/0x50  kasan_save_track+0x14/0x30  __kasan_slab_alloc+0x87/0x90  kmem_cache_alloc_noprof+0x12b/0x3f0  copy_net_ns+0x94/0x380  create_new_namespaces+0x24c/0x500  unshare_nsproxy_namespaces+0x75/0xf0  ksys_unshare+0x24e/0x4f0  __x64_sys_unshare+0x1f/0x30  do_syscall_64+0x70/0x180  entry_SYSCALL_64_after_hwframe+0x76/0x7e  Freed by task 100:  kasan_save_stack+0x24/0x50  kasan_save_track+0x14/0x30  kasan_save_free_info+0x3b/0x60  __kasan_slab_free+0x54/0x70  kmem_cache_free+0x156/0x5d0  cleanup_net+0x5d3/0x670  process_one_work+0x776/0xa90  worker_thread+0x2e2/0x560  kthread+0x1a8/0x1f0  ret_from_fork+0x34/0x60  ret_from_fork_asm+0x1a/0x30  Reproduction script:  mkdir -p /mnt/nfsshare mkdir -p /mnt/nfs/netns_1 mkfs.ext4 /dev/sdb mount /dev/sdb /mnt/nfsshare systemctl restart nfs-server chmod 777 /mnt/nfsshare exportfs -i -o rw,no_root_squash *:/mnt/nfsshare  ip netns add netns_1 ip link add name veth_1_peer type veth peer veth_1 ifconfig veth_1_peer 11.11.0.254 up ip link set veth_1 netns netns_1 ip netns exec netns_1 ifconfig veth_1 11.11.0.1  ip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \\ \t--tcp-flags FIN FIN  -j DROP  (note: In my environment, a DESTROY_CLIENTID operation is always sent  immediately, breaking the nfs tcp connection.) ip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \\ \t11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1  ip netns del netns_1  The reason here is that the tcp socket in netns_1 (nfs side) has been shutdown and closed (done in xs_destroy), but the FIN message (with ack) is discarded, and the nfsd side keeps sending retransmission messages. As a result, when the tcp sock in netns_1 processes the received message, it sends the message (FIN message) in the sending queue, and the tcp timer is re-established. When the network namespace is deleted, the net structure accessed by tcp's timer handler function causes problems.  To fix this problem, let's hold netns refcnt for the tcp kernel socket as done in other modules. This is an ugly hack which can easily be backported to earlier kernels. A proper fix which cleans up the interfaces will follow, but may not be so easy to backport.",null,[],[],[],[14],{"_key":15},"CVE-2024-53168",[],[],[],"2024-12-27T14:15:23.940Z","2026-04-28T20:29:00.388628Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2024-53168",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[40],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,50,51,55],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":52,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":53,"version_end_type":54,"fixed_in":9},"lt6_12_3_1","6.12.3-1","excluding",{"version":52,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":53,"version_end_type":54,"fixed_in":9}]