CVE-2024-35791

HIGH

Linux Kernel 4.19.176-4.19.x - Use-After-Free in svm_register_enc_region

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory.

Scores

CVSS v3 7.8
EPSS 0.0024
EPSS Percentile 14.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (27)
debian/debian_linux 10.0
linux/Kernel < 5.10.215linux
linux/Kernel 5.11.0 - 6.1.84linux
linux/Kernel 5.16.0 - 6.6.24linux
linux/Kernel 6.2.0 - 6.7.12linux
Linux/Linux < 5.11
Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - 12f8e32a5a389a5d58afc67728c76e61beee1ad4
Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - 4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865
Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807
Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - e126b508ed2e616d679d85fca2fbe77bb48bbdd7
... and 17 more
Published May 17, 2024
Tracked Since Feb 18, 2026