CVE-2024-35870 (GCVE-0-2024-35870)

Vulnerability from cvelistv5 – Published: 2024-05-19 08:34 – Updated: 2026-05-11 20:12
VLAI
Title
smb: client: fix UAF in smb2_reconnect_server()
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
Severity
4.4 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: b327a717e506980399464e304e363f94f95eb7a1 , < 755fe68cd4b59e1d2a2dd3286177fd4404f57fed (git)
Affected: b327a717e506980399464e304e363f94f95eb7a1 , < 6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0 (git)
Affected: b327a717e506980399464e304e363f94f95eb7a1 , < 45f2beda1f1bc3d962ec07db1ccc3197c25499a5 (git)
Affected: b327a717e506980399464e304e363f94f95eb7a1 , < 24a9799aa8efecd0eb55a75e35f9d8e6400063aa (git)
Create a notification for this product.
Linux Linux Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.29 , ≤ 6.6.* (semver)
Unaffected: 6.8.5 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 4.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-35870",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:38:54.896093Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-27T14:02:11.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:37:37.141Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "755fe68cd4b59e1d2a2dd3286177fd4404f57fed",
              "status": "affected",
              "version": "b327a717e506980399464e304e363f94f95eb7a1",
              "versionType": "git"
            },
            {
              "lessThan": "6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0",
              "status": "affected",
              "version": "b327a717e506980399464e304e363f94f95eb7a1",
              "versionType": "git"
            },
            {
              "lessThan": "45f2beda1f1bc3d962ec07db1ccc3197c25499a5",
              "status": "affected",
              "version": "b327a717e506980399464e304e363f94f95eb7a1",
              "versionType": "git"
            },
            {
              "lessThan": "24a9799aa8efecd0eb55a75e35f9d8e6400063aa",
              "status": "affected",
              "version": "b327a717e506980399464e304e363f94f95eb7a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.29",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.5",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses().  This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses-\u003eses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses-\u003eses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we\u0027re still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses-\u003eipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 \u0026\u003e/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 \u003c48\u003e 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:12:51.427Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/755fe68cd4b59e1d2a2dd3286177fd4404f57fed"
        },
        {
          "url": "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0"
        },
        {
          "url": "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa"
        }
      ],
      "title": "smb: client: fix UAF in smb2_reconnect_server()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35870",
    "datePublished": "2024-05-19T08:34:28.419Z",
    "dateReserved": "2024-05-17T13:50:33.108Z",
    "dateUpdated": "2026-05-11T20:12:51.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-35870",
      "date": "2026-06-04",
      "epss": "8e-05",
      "percentile": "0.00812"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35870\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T09:15:08.427\",\"lastModified\":\"2025-11-03T21:16:11.800\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix UAF in smb2_reconnect_server()\\n\\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\\nis already being teared down by another thread that is executing\\n__cifs_put_smb_ses().  This can happen when (a) the client has\\nconnection to the server but no session or (b) another thread ends up\\nsetting @ses-\u003eses_status again to something different than\\nSES_EXITING.\\n\\nTo fix this, we need to make sure to unconditionally set\\n@ses-\u003eses_status to SES_EXITING and prevent any other threads from\\nsetting a new status while we\u0027re still tearing it down.\\n\\nThe following can be reproduced by adding some delay to right after\\nthe ipc is freed in __cifs_put_smb_ses() - which will give\\nsmb2_reconnect_server() worker a chance to run and then accessing\\n@ses-\u003eipc:\\n\\nkinit ...\\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\\n[disconnect srv]\\nls /mnt/1 \u0026\u003e/dev/null\\nsleep 30\\nkdestroy\\n[reconnect srv]\\nsleep 10\\numount /mnt/1\\n...\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\ngeneral protection fault, probably for non-canonical address\\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 \u003c48\u003e 8b 01 48 39 f8 75\\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\\nknlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \u003cTASK\u003e\\n ? die_addr+0x36/0x90\\n ? exc_general_protection+0x1c1/0x3f0\\n ? asm_exc_general_protection+0x26/0x30\\n ? __list_del_entry_valid_or_report+0x33/0xf0\\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\\n smb2_reconnect_server+0x4ed/0x710 [cifs]\\n process_one_work+0x205/0x6b0\\n worker_thread+0x191/0x360\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe2/0x110\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF en smb2_reconnect_server() El error de UAF se debe a que smb2_reconnect_server() accede a una sesi\u00f3n que ya est\u00e1 siendo cancelada por otro hilo que est\u00e1 ejecutando __cifs_put_smb_ses(). Esto puede suceder cuando (a) el cliente tiene conexi\u00f3n al servidor pero no tiene sesi\u00f3n o (b) otro hilo termina configurando @ses-\u0026gt;ses_status nuevamente en algo diferente a SES_EXITING. Para solucionar este problema, debemos asegurarnos de establecer incondicionalmente @ses-\u0026gt;ses_status en SES_EXITING y evitar que otros hilos establezcan un nuevo estado mientras todav\u00eda lo estamos derribando. Lo siguiente se puede reproducir agregando algo de retraso justo despu\u00e9s de que se libera el ipc en __cifs_put_smb_ses(), lo que le dar\u00e1 al trabajador smb2_reconnect_server() la oportunidad de ejecutarse y luego acceder a @ses-\u0026gt;ipc: kinit ... mount.cifs // srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 \u0026amp;\u0026gt;/dev/null dormir 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verifique que el usuario tenga un ticket krb5 y keyutils est\u00e9 instalado CIFS: VFS: \\\\\\\\srv Enviar error en SessSetup = -126 CIFS: VFS: Verifique que el usuario tenga un ticket krb5 y keyutils est\u00e9 instalado CIFS: VFS: \\\\\\\\srv Enviar error en SessSetup = -126 fallo de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Nombre de hardware : PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 01/04/2014 Cola de trabajo: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 C\u00f3digo: 4f 08 48 85 d2 4 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 \u0026lt;48\u0026gt; 8b 01 48 39 f8 75 7b 48 8b 72 08 48 9 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: muerto000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Seguimiento de llamadas: \u0026lt; TASK\u0026gt; ? die_addr+0x36/0x90? exc_general_protection+0x1c1/0x3f0? asm_exc_general_protection+0x26/0x30? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] Process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.1.121\",\"matchCriteriaId\":\"391AABB6-B177-482C-9E7A-44C36BA7F003\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.29\",\"matchCriteriaId\":\"0999E154-1E68-41FA-8DE3-9A735E382224\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.8.5\",\"matchCriteriaId\":\"DBD6C99E-4250-4DFE-8447-FF2075939D10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/755fe68cd4b59e1d2a2dd3286177fd4404f57fed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:37:37.141Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35870\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-17T17:38:54.896093Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-17T17:38:56.142Z\"}}], \"cna\": {\"title\": \"smb: client: fix UAF in smb2_reconnect_server()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"b327a717e506980399464e304e363f94f95eb7a1\", \"lessThan\": \"755fe68cd4b59e1d2a2dd3286177fd4404f57fed\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b327a717e506980399464e304e363f94f95eb7a1\", \"lessThan\": \"6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b327a717e506980399464e304e363f94f95eb7a1\", \"lessThan\": \"45f2beda1f1bc3d962ec07db1ccc3197c25499a5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"b327a717e506980399464e304e363f94f95eb7a1\", \"lessThan\": \"24a9799aa8efecd0eb55a75e35f9d8e6400063aa\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/smb/client/connect.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.16\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.16\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.1.121\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.29\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/smb/client/connect.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/755fe68cd4b59e1d2a2dd3286177fd4404f57fed\"}, {\"url\": \"https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0\"}, {\"url\": \"https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5\"}, {\"url\": \"https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix UAF in smb2_reconnect_server()\\n\\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\\nis already being teared down by another thread that is executing\\n__cifs_put_smb_ses().  This can happen when (a) the client has\\nconnection to the server but no session or (b) another thread ends up\\nsetting @ses-\u003eses_status again to something different than\\nSES_EXITING.\\n\\nTo fix this, we need to make sure to unconditionally set\\n@ses-\u003eses_status to SES_EXITING and prevent any other threads from\\nsetting a new status while we\u0027re still tearing it down.\\n\\nThe following can be reproduced by adding some delay to right after\\nthe ipc is freed in __cifs_put_smb_ses() - which will give\\nsmb2_reconnect_server() worker a chance to run and then accessing\\n@ses-\u003eipc:\\n\\nkinit ...\\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\\n[disconnect srv]\\nls /mnt/1 \u0026\u003e/dev/null\\nsleep 30\\nkdestroy\\n[reconnect srv]\\nsleep 10\\numount /mnt/1\\n...\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\\nCIFS: VFS: \\\\\\\\srv Send error in SessSetup = -126\\ngeneral protection fault, probably for non-canonical address\\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 \u003c48\u003e 8b 01 48 39 f8 75\\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\\nknlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\\nPKRU: 55555554\\nCall Trace:\\n \u003cTASK\u003e\\n ? die_addr+0x36/0x90\\n ? exc_general_protection+0x1c1/0x3f0\\n ? asm_exc_general_protection+0x26/0x30\\n ? __list_del_entry_valid_or_report+0x33/0xf0\\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\\n smb2_reconnect_server+0x4ed/0x710 [cifs]\\n process_one_work+0x205/0x6b0\\n worker_thread+0x191/0x360\\n ? __pfx_worker_thread+0x10/0x10\\n kthread+0xe2/0x110\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork+0x34/0x50\\n ? __pfx_kthread+0x10/0x10\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.121\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.29\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.5\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"4.16\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-01-05T10:35:38.689Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-35870\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-05T10:35:38.689Z\", \"dateReserved\": \"2024-05-17T13:50:33.108Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-19T08:34:28.419Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.