CVE-2024-37353
Public on
Last Modified:
Description
[REJECTED CVE] A resource management issue exists in the Linux Kernel's virtio module. When request_irq() fails in vp_find_vqs_msix(), the cleanup path incorrectly attempts to free an already released IRQ, resulting in warnings and potential system instability. This issue arises from the mishandling of virtual queue deletion during error handling.
Statement
This CVE has been rejected upstream: https://lore.kernel.org/linux-cve-announce/2024082213-REJECTED-915e@gregkh/T/#u
Red Hat has also evaluated this issue and determined that it does not meet the criteria to be classified as a security vulnerability. This assessment is based on the issue not posing a significant security risk, being a result of misconfiguration or usage error, or falling outside the scope of security considerations.
As such, this CVE has been marked as "Rejected" in alignment with Red Hat's vulnerability management policies.
If you have additional information or concerns regarding this determination, please contact Red Hat Product Security for further clarification.
Additional information
- Bugzilla 2293686: kernel: virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
- CWE-415: Double Free
- FAQ: Frequently asked questions about CVE-2024-37353
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
Red Hat | NVD | |
---|---|---|
CVSS v3 Base Score | 4.4 | N/A |
Attack Vector | Local | N/A |
Attack Complexity | Low | N/A |
Privileges Required | High | N/A |
User Interaction | None | N/A |
Scope | Unchanged | N/A |
Confidentiality Impact | None | N/A |
Integrity Impact | None | N/A |
Availability Impact | High | N/A |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.