Decreasing Reference Count Leads to Object Freedom, But Too Many Times Can Cause Panic or Use-After-Free Attacks
CVE-2024-43102

10CRITICAL

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 5 September 2024

What is CVE-2024-43102?

A vulnerability exists in FreeBSD's shared memory management, particularly concerning the concurrent usage of the UMTX_SHM_DESTROY sub-request within UMTX operations. Attackers can exploit this flaw by triggering concurrent removals of anonymous shared memory mappings, which can erroneously decrement the reference count of the associated mapping object. This issue can lead to premature deallocation of shared memory, causing critical stability issues such as kernel panic. Moreover, it heightens the risk of Use-After-Free vulnerabilities, enabling potential code execution and circumvention of the Capsicum sandboxing mechanism.

Affected Version(s)

FreeBSD 14.1-RELEASE

FreeBSD 14.0-RELEASE

FreeBSD 13.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-24:14....

vendor-advisory

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2024
Vulnerability Reserved
Aug 27, 2024

Credit

Synacktiv

The FreeBSD Foundation

The Alpha-Omega Project