CVE-2024-54458 – This CVE addresses a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-54458?

CVE-2024-54458 has a CVSS score of 7.8 (HIGH). This CVE addresses a use-after-free vulnerability in the Linux kernel's UFS (Universal Flash Storage) BSG (Block SCSI Generic) subsystem. The vulnerability occurs when bsg_queue is not properly nullified after removal, potentially allowing attackers to execute arbitrary code or cause system crashes. This affects Linux systems with UFS storage support enabled.

📋 TL;DR

This CVE addresses a use-after-free vulnerability in the Linux kernel's UFS (Universal Flash Storage) BSG (Block SCSI Generic) subsystem. The vulnerability occurs when bsg_queue is not properly nullified after removal, potentially allowing attackers to execute arbitrary code or cause system crashes. This affects Linux systems with UFS storage support enabled.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but patches available for multiple stable branches

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires UFS storage support enabled in kernel (CONFIG_SCSI_UFS_BSG). Many embedded/mobile devices use UFS storage.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains kernel-level code execution, leading to complete system compromise, privilege escalation to root, or persistent backdoor installation.

🟠

Likely Case

System crash or kernel panic leading to denial of service, potentially requiring physical access or reboot to restore functionality.

🟢

If Mitigated

No impact if the vulnerable code path is not triggered or if proper kernel hardening measures are in place.

🌐 Internet-Facing: LOW - This is a local kernel vulnerability requiring local access to exploit.

🏢 Internal Only: MEDIUM - Malicious local users or compromised accounts could exploit this for privilege escalation or DoS attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and knowledge of kernel exploitation techniques. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel versions with commit hashes provided in references

Vendor Advisory: https://git.kernel.org/stable/c/1e95c798d8a7f70965f0f88d4657b682ff0ec75f

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable UFS BSG support

Linux

Remove or disable UFS BSG kernel module to prevent vulnerable code path

echo 'blacklist ufs_bsg' >> /etc/modprobe.d/blacklist-ufs-bsg.conf
rmmod ufs_bsg

🧯 If You Can't Patch

Restrict local user access to systems with UFS storage
Implement strict privilege separation and limit users who can access UFS devices

🔍 How to Verify

Check if Vulnerable:

Check if UFS BSG module is loaded: lsmod | grep ufs_bsg

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and UFS BSG module version matches patched release

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
System crashes/panics related to UFS or SCSI
Unexpected kernel module loading/unloading

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND ("UFS" OR "bsg" OR "scsi") AND ("panic" OR "oops" OR "segfault")

📊 Metadata

CVE ID: CVE-2024-54458

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: February 27, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54458, you might also want to check these: