CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix race between delayed_work() and ceph_monc_stop()
The way the delayed work is handled in ceph_monc_stop() is prone to
races with mon_fault() and possibly also finish_hunting(). Both of
these can requeue the delayed work which wouldn’t be canceled by any of
the following code in case that happens after cancel_delayed_work_sync()
runs – __close_session() doesn’t mess with the delayed work in order
to avoid interfering with the hunting interval logic. This part was
missed in commit b5d91704f53e (“libceph: behave in mon_fault() if
cur_mon < 0”) and use-after-free can still ensue on monc and objects
that hang off of it, with monc->auth and monc->monmap being
particularly susceptible to quickly being reused.
To fix this:
git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf
git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7
git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a
git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e
git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c
git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea
git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883
git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d
security-tracker.debian.org/tracker/CVE-2024-42232