CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-43102

CVSS 10.0v3.1pub. 2024-09-05upd. 2024-11-21

Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.

🤖 AI Analysis
How it works

The vulnerability results from a bug in handling concurrent deletion requests of anonymous shared memory mappings using the UMTX_SHM_DESTROY sub-request of the UMTX_OP_SHM operation. Concurrent calls to this sub-request by multiple threads cause the reference counter of the object representing the memory mapping to be decremented excessively. Consequently, the object is freed prematurely, creating a classic use-after-free scenario. Malicious code executing UMTX_SHM_DESTROY in parallel can lead to kernel panic or enable further attacks exploiting the freed memory.

Impact

An attacker can trigger kernel panic (denial of service), gain the ability to execute arbitrary code (RCE) in kernel context, or escape the Capsicum sandbox by taking control of the system.

Mitigation & patch

Apply patches available from the vendor according to the references — see FreeBSD advisory FreeBSD-SA-24:14.umtx published at https://security.freebsd.org/advisories/FreeBSD-SA-24:14.umtx.asc

Who is affected

FreeBSD — versions indicated in vendor references (advisory FreeBSD-SA-24:14.umtx)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Freebsd

    OS
    Freebsd
    13.313.414.014.113.0 – 13.3 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2024-29937CRITICAL9.8PL ✓ten sam produkt

RCE w implementacji NFS w OpenBSD i FreeBSD — zdalne wykonanie kodu

CVE-2022-23088CRITICAL9.8PL ✓ten sam produkt

FreeBSD: przepełnienie bufora w obsłudze beacon 802.11s prowadzące do RCE

CVE-2023-5941CRITICAL9.8ten sam produkt

In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5...

CVE-2023-3326CRITICAL9.8ten sam produkt

pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket...

CVE-2020-25577CRITICAL9.8ten sam produkt

In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before...