CVE-2024-43882— exec: Fix ToCToU between perm check and set-uid/gid usage
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-43882
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
exec: Fix ToCToU between perm check and set-uid/gid usage
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于 exec 组件在设置uid/gid时存在ToCToU问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-43882
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-43882
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-08-21 · 69 CVEs total
| CVE-2022-48877 | f2fs: let's avoid panic if extent_tree is not created | |
| CVE-2024-43874 | crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked | |
| CVE-2024-43873 | vhost/vsock: always initialize seqpacket_allow | |
| CVE-2024-43875 | PCI: endpoint: Clean up error handling in vpci_scan_bus() | |
| CVE-2022-48871 | tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer | |
| CVE-2022-48872 | misc: fastrpc: Fix use-after-free race condition for maps | |
| CVE-2022-48873 | misc: fastrpc: Don't remove map on creater_process and device_release | |
| CVE-2022-48874 | misc: fastrpc: Fix use-after-free and race in fastrpc_map_find | |
| CVE-2022-48875 | wifi: mac80211: sdata can be NULL during AMPDU start | |
| CVE-2022-48876 | wifi: mac80211: fix initialization of rx->link and rx->link_sta | |
| CVE-2022-48870 | tty: fix possible null-ptr-defer in spk_ttyio_release | |
| CVE-2022-48878 | Bluetooth: hci_qca: Fix driver shutdown on closed serdev | |
| CVE-2022-48879 | efi: fix NULL-deref in init error path | |
| CVE-2022-48880 | platform/surface: aggregator: Add missing call to ssam_request_sync_free() | |
| CVE-2022-48881 | platform/x86/amd: Fix refcount leak in amd_pmc_probe | |
| CVE-2022-48882 | net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY) | |
| CVE-2022-48883 | net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent | |
| CVE-2022-48884 | net/mlx5: Fix command stats access after free | |
| CVE-2022-48885 | ice: Fix potential memory leak in ice_gnss_tty_write() | |
| CVE-2022-48886 | ice: Add check for kzalloc |
Showing top 20 of 69 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2024-43882
No comments yet