CVE-2024-46858

CVSS 3.1 Score 7 of 10 (high)

Details

Published Sep 27, 2024

Updated: Dec 27, 2024

CWE ID 416

Summary

CVE-2024-46858 is a Linux kernel vulnerability affecting the mptcp module. The issue stems from a race condition between two paths to the function mptcp_pm_del_add_timer. CPU1 calls net_rx_action and NF_HOOK, while CPU2 runs remove_anno_list_by_saddr. This race condition results in a use-after-free (UAF) vulnerability in mptcp_pm_del_add_timer on CPU1. To mitigate this issue, developers should keep a reference to add_timer inside the pm.lock, and call sk_stop_timer_sync() with this reference instead of "entry->add_timer." Additionally, list_del(&entry->list) should be moved to mptcp_pm_del_add_timer and executed within the pm lock, while avoiding direct access to any entry members outside the pm lock.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners

CVE-2024-46858

CVSS 3.1 Score 7 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations