CVE-2024-35831

In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix release of pinned pages when __io_uaddr_map fails Looking at the error path of __io_uaddr_map, if we fail after pinning the pages for any reasons, ret will be set to -EINVAL and the error handler won't properly release the pinned pages. I didn't manage to trigger it without forcing a failure, but it can happen in real life when memory is heavily fragmented.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62	Patch
https://git.kernel.org/stable/c/4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a	Patch
https://git.kernel.org/stable/c/67d1189d1095d471ed7fa426c7e384a7140a5dd7	Patch
https://git.kernel.org/stable/c/712e2c8415f55a4a4ddaa98a430b87f624109f69	Patch
https://git.kernel.org/stable/c/0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62	Patch
https://git.kernel.org/stable/c/4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a	Patch
https://git.kernel.org/stable/c/67d1189d1095d471ed7fa426c7e384a7140a5dd7	Patch
https://git.kernel.org/stable/c/712e2c8415f55a4a4ddaa98a430b87f624109f69	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.6:-::::::
	cpe:2.3:o:linux:linux_kernel:6.6:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.6:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.6:rc7::::::

History

No history.

Information

Published : 2024-05-17 14:15

Updated : 2025-09-26 16:06

NVD link : CVE-2024-35831

Mitre link : CVE-2024-35831

CVE.ORG link : CVE-2024-35831

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2024-35831", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-17T14:15:19.517", "references": [{"url": "https://git.kernel.org/stable/c/0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/67d1189d1095d471ed7fa426c7e384a7140a5dd7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/712e2c8415f55a4a4ddaa98a430b87f624109f69", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/67d1189d1095d471ed7fa426c7e384a7140a5dd7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/712e2c8415f55a4a4ddaa98a430b87f624109f69", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix release of pinned pages when __io_uaddr_map fails\n\nLooking at the error path of __io_uaddr_map, if we fail after pinning\nthe pages for any reasons, ret will be set to -EINVAL and the error\nhandler won't properly release the pinned pages.\n\nI didn't manage to trigger it without forcing a failure, but it can\nhappen in real life when memory is heavily fragmented."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: corregida la liberaci\u00f3n de p\u00e1ginas fijadas cuando falla __io_uaddr_map. Mirando la ruta de error de __io_uaddr_map, si fallamos despu\u00e9s de fijar las p\u00e1ginas por cualquier motivo, ret se establecer\u00e1 en -EINVAL y el El controlador de errores no libera correctamente las p\u00e1ginas fijadas. No logr\u00e9 activarlo sin forzar un fallo, pero puede suceder en la vida real cuando la memoria est\u00e1 muy fragmentada."}], "lastModified": "2025-09-26T16:06:17.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88FFD8F0-A60D-49F5-86A4-9C7B702C4BB2", "versionEndExcluding": "6.6", "versionStartIncluding": "6.5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FDDE612-99E9-45F9-8D80-727F7FE08891", "versionEndExcluding": "6.6.23", "versionStartIncluding": "6.6.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD", "versionEndExcluding": "6.7.11", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1", "versionEndExcluding": "6.8.2", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7C78D0A-C4A2-4D41-B726-8979E33AD0F9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E114E9DD-F7E1-40CC-AAD5-F14E586CB2E6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC5BD782-474C-4A68-AED7-6EC818FF89AE"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}