{
  "threat_severity" : "Moderate",
  "public_date" : "2024-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF",
    "id" : "2313134",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2313134"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nfscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF\nThe fscache_cookie_lru_timer is initialized when the fscache module\nis inserted, but is not deleted when the fscache module is removed.\nIf timer_reduce() is called before removing the fscache module,\nthe fscache_cookie_lru_timer will be added to the timer list of\nthe current cpu. Afterwards, a use-after-free will be triggered\nin the softIRQ after removing the fscache module, as follows:\n==================================================================\nBUG: unable to handle page fault for address: fffffbfff803c9e9\nPF: supervisor read access in kernel mode\nPF: error_code(0x0000) - not-present page\nPGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855\nTainted: [W]=WARN\nRIP: 0010:__run_timer_base.part.0+0x254/0x8a0\nCall Trace:\n<IRQ>\ntmigr_handle_remote_up+0x627/0x810\n__walk_groups.isra.0+0x47/0x140\ntmigr_handle_remote+0x1fa/0x2f0\nhandle_softirqs+0x180/0x590\nirq_exit_rcu+0x84/0xb0\nsysvec_apic_timer_interrupt+0x6e/0x90\n</IRQ>\n<TASK>\nasm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\ndefault_idle_call+0x38/0x60\ndo_idle+0x2b5/0x300\ncpu_startup_entry+0x54/0x60\nstart_secondary+0x20d/0x280\ncommon_startup_64+0x13e/0x148\n</TASK>\nModules linked in: [last unloaded: netfs]\n==================================================================\nTherefore delete fscache_cookie_lru_timer when removing the fscahe module." ],
  "statement" : "The bug could happen during removing the fscache module. Only privileged user can trigger it (or it can happen during unmount of filesystem or system shutdown). As result the security impact is limited.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-46786\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46786\nhttps://lore.kernel.org/linux-cve-announce/2024091851-CVE-2024-46786-a167@gregkh/T" ],
  "name" : "CVE-2024-46786",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module fscache from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}