CVE-2024-35863 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-35863?

CVE-2024-35863 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in the Linux kernel's SMB client implementation. An attacker could potentially exploit this to crash the kernel or execute arbitrary code with kernel privileges. Systems running vulnerable Linux kernel versions with SMB client functionality are affected.

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's SMB client implementation. An attacker could potentially exploit this to crash the kernel or execute arbitrary code with kernel privileges. Systems running vulnerable Linux kernel versions with SMB client functionality are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific vulnerable kernel versions not explicitly stated in CVE description; check kernel commit references for exact versions.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the SMB client functionality. The vulnerability is triggered during SMB session teardown when processing oplock breaks.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash or arbitrary code execution with kernel privileges, potentially resulting in full system compromise.

🟠

Likely Case

Kernel panic causing system instability or denial of service, requiring reboot to restore functionality.

🟢

If Mitigated

Limited impact if exploit fails or system has additional security controls like kernel hardening features.

🌐 Internet-Facing: MEDIUM - Requires SMB client to connect to malicious servers, which is less common for internet-facing systems.

🏢 Internal Only: MEDIUM - Internal systems using SMB client connections could be targeted through internal network attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to trigger SMB oplock break operations against a vulnerable client, typically requiring network access to the target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 0a15ba88a32fa7a516aff7ffd27befed5334dff2, 16d58c6a7db5050b9638669084b63fc05f951825, 494c91e1e9413b407d12166a61b84200d4d54fac, 69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29

Vendor Advisory: https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable SMB client functionality

linux

Remove or disable SMB/CIFS client modules if not required

modprobe -r cifs
echo 'blacklist cifs' >> /etc/modprobe.d/blacklist.conf

Restrict SMB network access

linux

Use firewall rules to limit SMB connections to trusted servers only

iptables -A OUTPUT -p tcp --dport 445 -j DROP
iptables -A OUTPUT -p tcp --dport 139 -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate SMB client systems from untrusted networks
Monitor for unusual SMB client behavior or kernel crashes

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions from kernel git commits. Examine if cifs module is loaded: lsmod | grep cifs

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched versions. Check that system remains stable during SMB operations.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/messages or dmesg
UAF (use-after-free) kernel warnings
SMB client connection errors

Network Indicators:

Unusual SMB traffic patterns to/from client systems
Multiple SMB oplock break requests

SIEM Query:

source="kernel" AND ("panic" OR "UAF" OR "use-after-free") AND "cifs"

📊 Metadata

CVE ID: CVE-2024-35863

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 19, 2024

Last Updated: December 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35863, you might also want to check these: