CVE-2024-35882
MEDIUMLinux Kernel 6.6-6.6.25, 6.7-6.8.4, 6.9 - Use-After-Free in SUNRPC TCP Message Handling
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix a slow server-side memory leak with RPC-over-TCP Jan Schunk reports that his small NFS servers suffer from memory exhaustion after just a few days. A bisect shows that commit e18e157bb5c8 ("SUNRPC: Send RPC message on TCP with a single sock_sendmsg() call") is the first bad commit. That commit assumed that sock_sendmsg() releases all the pages in the underlying bio_vec array, but the reality is that it doesn't. svc_xprt_release() releases the rqst's response pages, but the record marker page fragment isn't one of those, so it is never released. This is a narrow fix that can be applied to stable kernels. A more extensive fix is in the works.
References (3)
Core 3
Core References
Mailing List, Patch
https://git.kernel.org/stable/c/1ba1291172f935e6b6fe703161a948f3347400b8
Mailing List, Patch
https://git.kernel.org/stable/c/a2ebedf7bcd17a1194a0a18122c885eb578ee882
Mailing List, Patch
https://git.kernel.org/stable/c/05258a0a69b3c5d2c003f818702c0a52b6fea861
Scores
CVSS v3
5.5
EPSS
0.0022
EPSS Percentile
13.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-401
Status
published
Products (12)
linux/Kernel
6.6.0 - 6.6.26linux
linux/Kernel
6.7.0 - 6.8.5linux
Linux/Linux
< 6.6
Linux/Linux
6.6
Linux/Linux
6.6.26 - 6.6.*
Linux/Linux
6.8.5 - 6.8.*
Linux/Linux
6.9
Linux/Linux
e18e157bb5c8c1cd8a9ba25acfdcf4f3035836f4 - 05258a0a69b3c5d2c003f818702c0a52b6fea861
Linux/Linux
e18e157bb5c8c1cd8a9ba25acfdcf4f3035836f4 - 1ba1291172f935e6b6fe703161a948f3347400b8
Linux/Linux
e18e157bb5c8c1cd8a9ba25acfdcf4f3035836f4 - a2ebedf7bcd17a1194a0a18122c885eb578ee882
... and 2 more
Published
May 19, 2024
Tracked Since
Feb 18, 2026