CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-49852: scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

7.8 CVSS

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

The kref_put() function will call nport->release if the refcount drops to
zero. The nport->release release function is _efc_nport_free() which frees
"nport". But then we dereference "nport" on the next line which is a use
after free. Re-order these lines to avoid the use after free.

Classification

CVE ID: CVE-2024-49852

CVSS Base Severity: HIGH

CVSS Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.48% (scored less or equal to compared to others)

EPSS Date: 2025-06-02 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-49852
https://git.kernel.org/stable/c/16a570f07d870a285b0c0b0d1ca4dff79e8aa5ff
https://git.kernel.org/stable/c/abc71e89170ed32ecf0a5a29f31aa711e143e941
https://git.kernel.org/stable/c/baeb8628ab7f4577740f00e439d3fdf7c876b0ff
https://git.kernel.org/stable/c/7c2908985e4ae0ea1b526b3916de9e5351650908
https://git.kernel.org/stable/c/98752fcd076a8cbc978016eae7125b4971be1eec
https://git.kernel.org/stable/c/2e4b02fad094976763af08fec2c620f4f8edd9ae

Timeline

2025-05-04 10:40:20 UTC
CVE

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()