{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-29T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: PCI/MSI: Fix UAF in msi_capability_init",
    "id" : "2300491",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2300491"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nPCI/MSI: Fix UAF in msi_capability_init\nKFENCE reports the following UAF:\nBUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488\nUse-after-free read at 0x0000000024629571 (in kfence-#12):\n__pci_enable_msi_range+0x2c0/0x488\npci_alloc_irq_vectors_affinity+0xec/0x14c\npci_alloc_irq_vectors+0x18/0x28\nkfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128\nallocated by task 81 on cpu 7 at 10.808142s:\n__kmem_cache_alloc_node+0x1f0/0x2bc\nkmalloc_trace+0x44/0x138\nmsi_alloc_desc+0x3c/0x9c\nmsi_domain_insert_msi_desc+0x30/0x78\nmsi_setup_msi_desc+0x13c/0x184\n__pci_enable_msi_range+0x258/0x488\npci_alloc_irq_vectors_affinity+0xec/0x14c\npci_alloc_irq_vectors+0x18/0x28\nfreed by task 81 on cpu 7 at 10.811436s:\nmsi_domain_free_descs+0xd4/0x10c\nmsi_domain_free_locked.part.0+0xc0/0x1d8\nmsi_domain_alloc_irqs_all_locked+0xb4/0xbc\npci_msi_setup_msi_irqs+0x30/0x4c\n__pci_enable_msi_range+0x2a8/0x488\npci_alloc_irq_vectors_affinity+0xec/0x14c\npci_alloc_irq_vectors+0x18/0x28\nDescriptor allocation done in:\n__pci_enable_msi_range\nmsi_capability_init\nmsi_setup_msi_desc\nmsi_insert_msi_desc\nmsi_domain_insert_msi_desc\nmsi_alloc_desc\n...\nFreed in case of failure in __msi_domain_alloc_locked()\n__pci_enable_msi_range\nmsi_capability_init\npci_msi_setup_msi_irqs\nmsi_domain_alloc_irqs_all_locked\nmsi_domain_alloc_locked\n__msi_domain_alloc_locked => fails\nmsi_domain_free_locked\n...\nThat failure propagates back to pci_msi_setup_msi_irqs() in\nmsi_capability_init() which accesses the descriptor for unmasking in the\nerror exit path.\nCure it by copying the descriptor and using the copy for the error exit path\nunmask operation.\n[ tglx: Massaged change log ]", "A use after free vulnerability was found in the Linux Kernel. Failure propagates back to pci_msi_setup_msi_irqs() in msi_capability_init(), which accesses the descriptor for unmasking in the error exit path, leading to a loss of confidentiality, integrity, and availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-09-11T00:00:00Z",
    "advisory" : "RHSA-2024:6567",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.35.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-09-11T00:00:00Z",
    "advisory" : "RHSA-2024:6567",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.35.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-41096\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-41096\nhttps://lore.kernel.org/linux-cve-announce/2024072954-CVE-2024-41096-4ed0@gregkh/T" ],
  "name" : "CVE-2024-41096",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}