CVE-2024-35848

MEDIUM

Linux Kernel 5.3-5.10.216, 5.11-5.15.158, 5.16-6.1.90, 6.2-6.6.30, 6.7-6.8.8 - Use-After-Free in EEPROM AT24 Driver

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: eeprom: at24: fix memory corruption race condition If the eeprom is not accessible, an nvmem device will be registered, the read will fail, and the device will be torn down. If another driver accesses the nvmem device after the teardown, it will reference invalid memory. Move the failure point before registering the nvmem device.

References (7)

Core 7

Core References

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html

Patch

https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da

Patch

https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a

Patch

https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6

Patch

https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676

Patch

https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc

Patch

https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2

Scores

CVSS v3 4.7

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (22)

debian/debian_linux 10.0

linux/Kernel 5.11.0 - 5.15.159linux

linux/Kernel 5.16.0 - 6.1.91linux

linux/Kernel 5.3.0 - 5.10.217linux

linux/Kernel 6.2.0 - 6.6.31linux

linux/Kernel 6.7.0 - 6.8.9linux

Linux/Linux < 5.3

Linux/Linux 5.10.217 - 5.10.*

Linux/Linux 5.15.159 - 5.15.*

Linux/Linux 5.3

... and 12 more

Published May 17, 2024

Tracked Since Feb 18, 2026