CVE-2024-43102
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
05/09/2024
Last modified:
05/09/2024
Description
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.<br />
<br />
A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
Impact
Base Score 3.x
10.00
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:* | 13.0 (including) | 13.3 (excluding) |
| cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:* | ||
| cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page