CVE-2024-35791

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4	Patch
https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d	Patch
https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865	Patch
https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807	Patch
https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7	Patch
https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a	Patch
https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4	Patch
https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d	Patch
https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865	Patch
https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807	Patch
https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7	Patch
https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.11:-::::::
	cpe:2.3:o:linux:linux_kernel:5.11:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc7::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

23 Dec 2025, 18:45

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:6.8:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc7:::::: cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.8:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc3:::::: cpe:2.3:o:linux:linux_kernel:5.11:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc6:::::: cpe:2.3:o:linux:linux_kernel:5.11:-::::::
References	~~() https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4 -~~	() https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4 - Patch
References	~~() https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d -~~	() https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d - Patch
References	~~() https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 -~~	() https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 - Patch
References	~~() https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 -~~	() https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 - Patch
References	~~() https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 -~~	() https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 - Patch
References	~~() https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a -~~	() https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -~~	() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
First Time		Linux Debian Debian debian Linux Linux linux Kernel
CWE		CWE-416

21 Nov 2024, 09:20

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -
References	~~() https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4 -~~	() https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4 -
References	~~() https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d -~~	() https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d -
References	~~() https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 -~~	() https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 -
References	~~() https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 -~~	() https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 -
References	~~() https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 -~~	() https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 -
References	~~() https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a -~~	() https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a -

05 Nov 2024, 10:16

Type	Values Removed	Values Added
References	~~{'url': 'https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~

25 Jun 2024, 22:15

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: SVM: Vaciar páginas bajo kvm->lock para arreglar UAF en svm_register_enc_region() Realice el vaciado de caché de las páginas convertidas en svm_register_enc_region() antes de eliminar kvm->lock para arreglar el uso -Problemas posteriores a la liberación en los que la región y/o su conjunto de páginas podrían liberarse mediante una tarea diferente, por ejemplo, si el espacio de usuario ya tiene __unregister_enc_region_locked() en cola para la región. Tenga en cuenta que la alternativa "obvia" de usar variables locales no resuelve completamente el error, ya que región->páginas también se asigna dinámicamente. Es decir, la estructura de la región en sí estaría bien, pero se podrían liberar regiones->páginas. Vaciar varias páginas bajo kvm->lock es desafortunado, pero todo el flujo es un camino lento poco común, y el vaciado manual solo es necesario en CPU que carecen de coherencia para la memoria cifrada.
References		() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -

17 May 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-17 13:15

Updated : 2025-12-23 18:45

NVD link : CVE-2024-35791

Mitre link : CVE-2024-35791

CVE.ORG link : CVE-2024-35791

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10