{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-49854","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.016Z","datePublished":"2024-10-21T12:18:46.723Z","dateUpdated":"2025-11-03T22:22:22.684Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:59:07.881Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for accessing waker_bfqq after splitting\n\nAfter commit 42c306ed7233 (\"block, bfq: don't break merge chain in\nbfq_split_bfqq()\"), if the current procress is the last holder of bfqq,\nthe bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and\nthen access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq\nmay in the merge chain of bfqq, hence just recored waker_bfqq is still\nnot safe.\n\nFix the problem by adding a helper bfq_waker_bfqq() to check if\nbfqq->waker_bfqq is in the merge chain, and current procress is the only\nholder."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bfq-iosched.c"],"versions":[{"version":"e0c20d88b7dce85d2703bb6ba77bf359959675cd","lessThan":"63a07379fdb6c72450cb05294461c6016b8b7726","status":"affected","versionType":"git"},{"version":"de6c5e3a456019d2182e345730e59721714fa0b5","lessThan":"de0456460f2abf921e356ed2bd8da87a376680bd","status":"affected","versionType":"git"},{"version":"19f3bec2ac4be329b9bd12b18a989b867618d2d8","lessThan":"0780451f03bf518bc032a7c584de8f92e2d39d7f","status":"affected","versionType":"git"},{"version":"13b3d0e8cb121f99b11918a0d4bcc1ce4647d352","lessThan":"0b8bda0ff17156cd3f60944527c9d8c9f99f1583","status":"affected","versionType":"git"},{"version":"4780f50ea50cfe8e89fc3747bf3dd155488433bb","lessThan":"cae58d19121a70329cf971359e2518c93fec04fe","status":"affected","versionType":"git"},{"version":"42c306ed723321af4003b2a41bb73728cab54f85","lessThan":"1ba0403ac6447f2d63914fb760c44a3b19c44eaf","status":"affected","versionType":"git"},{"version":"9e813033594b141f61ff0ef0cfaaef292564b041","status":"affected","versionType":"git"},{"version":"3a5f45a4ad4e1fd36b0a998eef03d76a4f02a2a8","status":"affected","versionType":"git"},{"version":"3630a18846c7853aa326d3b42fd0a855af7b41bc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bfq-iosched.c"]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.323"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.285"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.227"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/63a07379fdb6c72450cb05294461c6016b8b7726"},{"url":"https://git.kernel.org/stable/c/de0456460f2abf921e356ed2bd8da87a376680bd"},{"url":"https://git.kernel.org/stable/c/0780451f03bf518bc032a7c584de8f92e2d39d7f"},{"url":"https://git.kernel.org/stable/c/0b8bda0ff17156cd3f60944527c9d8c9f99f1583"},{"url":"https://git.kernel.org/stable/c/cae58d19121a70329cf971359e2518c93fec04fe"},{"url":"https://git.kernel.org/stable/c/1ba0403ac6447f2d63914fb760c44a3b19c44eaf"}],"title":"block, bfq: fix uaf for accessing waker_bfqq after splitting","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-49854","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-21T12:56:32.405058Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-21T13:04:11.371Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:22:22.684Z"}}]}}