Login Sign Up

CVE-2024-40922

5.5 MEDIUM
Denial of Service

📋 TL;DR

This CVE describes a Linux kernel vulnerability in the io_uring subsystem where a mutex lock is attempted while the task is not in TASK_RUNNING state, violating kernel scheduling rules. This can lead to system instability or denial of service. It affects Linux systems using io_uring with unpatched kernel versions.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not explicitly stated in CVE, but patches exist in stable kernel trees
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires io_uring subsystem usage; vulnerability triggered during io_uring resource quiescence operations

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash leading to complete denial of service

🟠

Likely Case

System instability, process crashes, or performance degradation

🟢

If Mitigated

Minor performance impact or no noticeable effect with proper patching

🌐 Internet-Facing: MEDIUM - Requires local access or ability to execute io_uring operations
🏢 Internal Only: MEDIUM - Local users or processes can trigger the condition

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to execute io_uring operations; likely requires local access or compromised process

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits: 0c9df3df0c888d9ec8d11a68474a4aa04d371cff, 4429c6c77e176a4c5aa7a3bbd1632f9fc0582518, 54559642b96116b45e4b5ca7fd9f7835b8561272)

Vendor Advisory: https://git.kernel.org/stable/c/0c9df3df0c888d9ec8d11a68474a4aa04d371cff

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable io_uring module

linux

Prevent loading of io_uring kernel module to avoid vulnerability

echo 'blacklist io_uring' >> /etc/modprobe.d/blacklist.conf
rmmod io_uring

🧯 If You Can't Patch

  • Restrict io_uring usage to trusted processes only
  • Monitor system logs for io_uring-related warnings or crashes

🔍 How to Verify

Check if Vulnerable:

Check kernel version against patched versions in your distribution's security advisories

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version matches patched version and check dmesg for absence of related warnings

📡 Detection & Monitoring

Log Indicators:

  • Kernel warnings about __might_sleep in io_uring context
  • System crashes or panics during io_uring operations

Network Indicators:

  • None - this is a local kernel vulnerability

SIEM Query:

search 'io_uring' AND ('__might_sleep' OR 'WARNING' OR 'panic') in kernel logs

📊 Metadata

CVE ID: CVE-2024-40922
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-667
Published: July 12, 2024
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40922, you might also want to check these:

CVE-2020-12658 9.8

CVE-2020-12658 is a critical vulnerability in gssproxy (GSS-API proxy daemon) where improper mutex h...

Same vulnerability type (CWE-667)
CVE-2020-11284 8.4

This vulnerability allows non-secure boot loaders to unlock and modify memory regions that should re...

Same vulnerability type (CWE-667)
CVE-2021-22530 8.2

CVE-2021-22530 is an authentication bypass vulnerability in NetIQ Advanced Authentication that allow...

Same vulnerability type (CWE-667)