{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49865", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T12:17:06.017Z", "datePublished": "2024-10-21T18:01:08.620Z", "dateUpdated": "2025-05-04T09:39:52.060Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:39:52.060Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: move xa_alloc to prevent UAF\n\nEvil user can guess the next id of the vm before the ioctl completes and\nthen call vm destroy ioctl to trigger UAF since create ioctl is still\nreferencing the same vm. Move the xa_alloc all the way to the end to\nprevent this.\n\nv2:\n - Rebase\n\n(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_vm.c"], "versions": [{"version": "dd08ebf6c3525a7ea2186e636df064ea47281987", "lessThan": "09cf8901fc0225898311b375cfcc67bae37ed5da", "status": "affected", "versionType": "git"}, {"version": "dd08ebf6c3525a7ea2186e636df064ea47281987", "lessThan": "74231870cf4976f69e83aa24f48edb16619f652f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_vm.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.11.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/09cf8901fc0225898311b375cfcc67bae37ed5da"}, {"url": "https://git.kernel.org/stable/c/74231870cf4976f69e83aa24f48edb16619f652f"}], "title": "drm/xe/vm: move xa_alloc to prevent UAF", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:47:46.140074Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:48:52.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:47:46.140074Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:47:49.401Z"}}], "cna": {"title": "drm/xe/vm: move xa_alloc to prevent UAF", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "dd08ebf6c3525a7ea2186e636df064ea47281987", "lessThan": "09cf8901fc0225898311b375cfcc67bae37ed5da", "versionType": "git"}, {"status": "affected", "version": "dd08ebf6c3525a7ea2186e636df064ea47281987", "lessThan": "74231870cf4976f69e83aa24f48edb16619f652f", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/xe/xe_vm.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.8"}, {"status": "unaffected", "version": "0", "lessThan": "6.8", "versionType": "semver"}, {"status": "unaffected", "version": "6.11.3", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/xe/xe_vm.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/09cf8901fc0225898311b375cfcc67bae37ed5da"}, {"url": "https://git.kernel.org/stable/c/74231870cf4976f69e83aa24f48edb16619f652f"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: move xa_alloc to prevent UAF\n\nEvil user can guess the next id of the vm before the ioctl completes and\nthen call vm destroy ioctl to trigger UAF since create ioctl is still\nreferencing the same vm. Move the xa_alloc all the way to the end to\nprevent this.\n\nv2:\n - Rebase\n\n(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12", "versionStartIncluding": "6.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:39:52.060Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49865", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:39:52.060Z", "dateReserved": "2024-10-21T12:17:06.017Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T18:01:08.620Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2282FC43-371A-4D57-B45D-C41FB2B46917", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: move xa_alloc to prevent UAF\n\nEvil user can guess the next id of the vm before the ioctl completes and\nthen call vm destroy ioctl to trigger UAF since create ioctl is still\nreferencing the same vm. Move the xa_alloc all the way to the end to\nprevent this.\n\nv2:\n - Rebase\n\n(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe/vm: mover xa_alloc para evitar UAF Un usuario malintencionado puede adivinar el siguiente id de la m\u00e1quina virtual antes de que se complete el ioctl y luego llamar a vm destroy ioctl para activar el UAF, ya que create ioctl sigue haciendo referencia a la misma m\u00e1quina virtual. Mueva xa_alloc hasta el final para evitar esto. v2: - Rebase (seleccionado de el commit dcfd3971327f3ee92765154baebbaece833d3ca9)"}], "id": "CVE-2024-49865", "lastModified": "2024-10-24T03:44:33.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T18:15:06.270", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/09cf8901fc0225898311b375cfcc67bae37ed5da"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/74231870cf4976f69e83aa24f48edb16619f652f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/xe/vm: move xa_alloc to prevent UAF", "id": "2320449", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320449"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/xe/vm: move xa_alloc to prevent UAF\nEvil user can guess the next id of the vm before the ioctl completes and\nthen call vm destroy ioctl to trigger UAF since create ioctl is still\nreferencing the same vm. Move the xa_alloc all the way to the end to\nprevent this.\nv2:\n- Rebase\n(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)"], "name": "CVE-2024-49865", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-49865\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49865\nhttps://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-49865-ae89@gregkh/T"], "threat_severity": "Moderate"}

{}