FreeBSD UMTX SHM_DESTROY UAF Leading to Kernel Panic
CVE-2024-43102 Published on September 5, 2024
umtx Kernel panic or Use-After-Free
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.
A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
Vulnerability Analysis
CVE-2024-43102 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2024-43102 has been classified to as a Dangling pointer vulnerability or weakness.
Improper Update of Reference Count
The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released.
Products Associated with CVE-2024-43102
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 14.1-RELEASE and below p4 is affected.
- Version 14.0-RELEASE and below p10 is affected.
- Version 13.3-RELEASE and below p6 is affected.
- Version 14.1 and below 14.1_p4 is affected.
- Version 14.0 and below 14.0_p10 is affected.
- Version 13.3 and below 13.3_p6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.