CVE-2024-53143

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Dec 7, 2024
Updated: Dec 13, 2024
CWE ID 416

Summary

CVE-2024-53143 is a vulnerability affecting the Linux kernel's fsnotify component. This issue stems from a problem with the ordering of certain functions, leading to a use-after-free (UAF) vulnerability. Specifically, iput() must occur before watched_objects are decremented, preventing the release of a reference to an inode and keeping the superblock alive. Failure to adhere to this ordering can result in a UAF of sb->s_fs_info in tmpfs. Additionally, fsnotify_put_sb_watched_objects() needs to avoid calling fsnotify_sb_watched_objects() on a superblock that has already been freed to prevent a UAF read of sb->s_fsnotify_info.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share