CVE-2024-56709

In the Linux kernel, the following vulnerability has been resolved: io_uring: check if iowq is killed before queuing task work can be executed after the task has gone through io_uring termination, whether it's the final task_work run or the fallback path. In this case, task work will find ->io_wq being already killed and null'ed, which is a problem if it then tries to forward the request to io_queue_iowq(). Make io_queue_iowq() fail requests in this case. Note that it also checks PF_KTHREAD, because the user can first close a DEFER_TASKRUN ring and shortly after kill the task, in which case ->iowq check would race.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/2ca94c8de36091067b9ce7527ae8db3812d38781	Patch
https://git.kernel.org/stable/c/4f95a2186b7f2af09331e1e8069bcaf34fe019cf	Patch
https://git.kernel.org/stable/c/534d59ab38010aada88390db65985e65d0de7d9e	Patch
https://git.kernel.org/stable/c/dbd2ca9367eb19bc5e269b8c58b0b1514ada9156	Patch
https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.14:-::::::
	cpe:2.3:o:linux:linux_kernel:5.14:rc4::::::
	cpe:2.3:o:linux:linux_kernel:5.14:rc5::::::
	cpe:2.3:o:linux:linux_kernel:5.14:rc6::::::
	cpe:2.3:o:linux:linux_kernel:5.14:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc3::::::

History

No history.

Information

Published : 2024-12-29 09:15

Updated : 2025-11-03 21:18

NVD link : CVE-2024-56709

Mitre link : CVE-2024-56709

CVE.ORG link : CVE-2024-56709

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-56709", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-12-29T09:15:05.820", "references": [{"url": "https://git.kernel.org/stable/c/2ca94c8de36091067b9ce7527ae8db3812d38781", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f95a2186b7f2af09331e1e8069bcaf34fe019cf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/534d59ab38010aada88390db65985e65d0de7d9e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dbd2ca9367eb19bc5e269b8c58b0b1514ada9156", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check if iowq is killed before queuing\n\ntask work can be executed after the task has gone through io_uring\ntermination, whether it's the final task_work run or the fallback path.\nIn this case, task work will find ->io_wq being already killed and\nnull'ed, which is a problem if it then tries to forward the request to\nio_queue_iowq(). Make io_queue_iowq() fail requests in this case.\n\nNote that it also checks PF_KTHREAD, because the user can first close\na DEFER_TASKRUN ring and shortly after kill the task, in which case\n->iowq check would race."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: comprueba si iowq se elimina antes de que se pueda ejecutar la tarea de cola work despu\u00e9s de que la tarea haya pasado por la terminaci\u00f3n io_uring, ya sea la ejecuci\u00f3n final de task_work o la ruta de respaldo. En este caso, la tarea work encontrar\u00e1 que ->io_wq ya se ha eliminado y se ha anulado, lo que es un problema si luego intenta reenviar la solicitud a io_queue_iowq(). Haz que io_queue_iowq() falle las solicitudes en este caso. Ten en cuenta que tambi\u00e9n comprueba PF_KTHREAD, porque el usuario puede cerrar primero un anillo DEFER_TASKRUN y poco despu\u00e9s eliminar la tarea, en cuyo caso la comprobaci\u00f3n de ->iowq se acelerar\u00eda."}], "lastModified": "2025-11-03T21:18:22.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "679FD336-8759-40E5-B1D1-C91ADEFBB8C2", "versionEndExcluding": "6.1.122", "versionStartIncluding": "5.14.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74BA9823-CCED-4B24-815D-B82543954BF8", "versionEndExcluding": "6.6.68", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "811AC89A-14AC-49FA-9B54-E99526F1CA47", "versionEndExcluding": "6.12.7", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A05198E-F8FA-4517-8D0E-8C95066AED38"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D1DA0AF6-02F4-47C7-A318-8C006ED0C665"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49DD30B1-8C99-4C38-A66B-CAB3827BEE8A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15013998-4AF0-4CDC-AB13-829ECD8A8E66"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "376A25CF-C05B-48F1-99B1-8FB0314A8E06"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}