CVE-2024-35955: In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading...

Description

In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.17%

63.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-416

Affected Software

Vendor	Product	Versions	Update
Linux	Linux Kernel	>= 4.14.291, < 4.15	—
Linux	Linux Kernel	>= 4.19.256, < 4.19.313	—
Linux	Linux Kernel	>= 5.4.211, < 5.4.275	—
Linux	Linux Kernel	>= 5.10.137, < 5.10.216	—
Linux	Linux Kernel	>= 5.15.61, < 5.15.157	—
Linux	Linux Kernel	>= 5.18.18, < 5.19	—
Linux	Linux Kernel	>= 5.19.2, < 6.1.87	—
Linux	Linux Kernel	>= 6.2, < 6.6.28	—
Linux	Linux Kernel	>= 6.7, < 6.8.7	—
Linux	Linux Kernel	6.9	Rc1
Debian	Debian Linux	10.0	—

References

Timeline

Published: May 20, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-35955?

In the Linux kernel, the following vulnerability has been resolved: kprobes: Fix possible use-after-free issue on kprobe registration When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE.

How severe is CVE-2024-35955?

CVE-2024-35955 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.17% probability of exploitation in the next 30 days.

How do I fix CVE-2024-35955?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.