CVE-2024-56764 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2024-56764?

CVE-2024-56764 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's ublk subsystem allows attackers to potentially crash the kernel or execute arbitrary code with kernel privileges. This affects Linux systems using the ublk driver for userspace block devices. Attackers need local access to exploit this vulnerability.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's ublk subsystem allows attackers to potentially crash the kernel or execute arbitrary code with kernel privileges. This affects Linux systems using the ublk driver for userspace block devices. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions with ublk driver support (introduced in 5.19) up to the patched versions

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if ublk driver is loaded and being used. Most systems don't load ublk by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash or arbitrary code execution with kernel privileges, potentially resulting in complete system compromise.

🟠

Likely Case

Kernel panic causing system crash and denial of service, requiring physical or remote console access to reboot.

🟢

If Mitigated

No impact if the system is not using ublk driver or has been patched.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local attackers or malicious users could exploit this to crash systems or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger ublk operations that cause add_disk() to fail followed by abort requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commits 75cd4005da5492129917a4a4ee45e81660556104 and 7d680f2f76a3417fdfc3946da7471e81464f7b41

Vendor Advisory: https://git.kernel.org/stable/c/75cd4005da5492129917a4a4ee45e81660556104

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Check with your distribution for backported patches. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable ublk module

all

Prevent loading of the vulnerable ublk driver

echo 'install ublk /bin/false' > /etc/modprobe.d/ublk.conf
rmmod ublk 2>/dev/null || true

Blacklist ublk module

all

Blacklist the ublk kernel module to prevent loading

echo 'blacklist ublk' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Ensure ublk module is not loaded (check with 'lsmod | grep ublk')
Restrict local user access to systems using mandatory access controls like SELinux or AppArmor

🔍 How to Verify

Check if Vulnerable:

Check if ublk module is loaded: 'lsmod | grep ublk'. If loaded and kernel version is unpatched, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commits or verify ublk module is not loaded: 'lsmod | grep -q ublk && echo "Vulnerable" || echo "Fixed/Not vulnerable"'

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages in /var/log/kern.log or dmesg
System crashes or reboots without clear cause

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=41 OR Source="Linux Kernel" AND (Message="Oops" OR Message="general protection fault")

📊 Metadata

CVE ID: CVE-2024-56764

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: January 6, 2025

Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56764, you might also want to check these: