CVE-2024-36899: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.
AI Analysis
Technical Summary
CVE-2024-36899 is a use-after-free vulnerability identified in the Linux kernel's GPIO (General Purpose Input/Output) subsystem, specifically within the character device interface (cdev) handling code. The flaw arises during the release process of a GPIO chip device file, where the watched_lines bitmap is freed prematurely before the unregistration of the lineinfo_changed_nb notifier chain completes. The root cause is a race condition involving the read-write semaphore (rwsem) used to synchronize access to the notifier chain. When gpio_chrdev_release() is called to close the device file, bitmap_free() is invoked to free watched_lines, but the unregistration of the notifier chain blocks due to contention on the write lock of the rwsem. Meanwhile, another GPIO line release process holds the read lock of the same rwsem and attempts to access watched_lines, resulting in a use-after-free scenario. This leads to a situation where a GPIO line event is erroneously generated for userspace, although the device file is already closed, preventing userspace from reading the event. The vulnerability is fixed by deferring the bitmap_free() call until after the notifier chain unregistration completes, ensuring proper synchronization and preventing the use-after-free condition. The issue affects specific Linux kernel versions identified by commit hashes and was published on May 30, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-36899 is primarily related to system stability and potential denial of service in environments relying on Linux-based embedded systems or servers that utilize GPIO interfaces extensively, such as industrial control systems, IoT devices, and specialized hardware platforms. Although the vulnerability does not directly expose sensitive data or allow privilege escalation, the use-after-free condition could lead to kernel crashes or unpredictable behavior in affected systems, potentially disrupting critical operations. This is particularly relevant for sectors like manufacturing, energy, transportation, and telecommunications, where Linux-based embedded devices are common. The inability for userspace to read the spurious GPIO events somewhat limits the exploitation scope, but the underlying race condition could be leveraged in complex attack chains or combined with other vulnerabilities to escalate impact. Organizations running custom or older Linux kernels with the affected GPIO character device code should be vigilant. The absence of known exploits reduces immediate risk, but the vulnerability's presence in the kernel code base necessitates prompt patching to maintain system integrity and availability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-36899. Specifically, kernel maintainers and system integrators should ensure that the bitmap_free() call is deferred until after the notifier chain unregistration completes, as per the official patch. For embedded and IoT devices where kernel updates may be slower, applying backported patches or vendor-provided security updates is critical. Additionally, organizations should audit their use of GPIO interfaces and device drivers to identify systems potentially affected by this vulnerability. Implementing kernel lockdown features and restricting access to GPIO device files can reduce the attack surface. Monitoring kernel logs for abnormal GPIO events or device file closures may help detect attempts to trigger the race condition. Finally, incorporating this vulnerability into vulnerability management and patching workflows will ensure timely remediation and reduce exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2024-36899: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.
AI-Powered Analysis
Technical Analysis
CVE-2024-36899 is a use-after-free vulnerability identified in the Linux kernel's GPIO (General Purpose Input/Output) subsystem, specifically within the character device interface (cdev) handling code. The flaw arises during the release process of a GPIO chip device file, where the watched_lines bitmap is freed prematurely before the unregistration of the lineinfo_changed_nb notifier chain completes. The root cause is a race condition involving the read-write semaphore (rwsem) used to synchronize access to the notifier chain. When gpio_chrdev_release() is called to close the device file, bitmap_free() is invoked to free watched_lines, but the unregistration of the notifier chain blocks due to contention on the write lock of the rwsem. Meanwhile, another GPIO line release process holds the read lock of the same rwsem and attempts to access watched_lines, resulting in a use-after-free scenario. This leads to a situation where a GPIO line event is erroneously generated for userspace, although the device file is already closed, preventing userspace from reading the event. The vulnerability is fixed by deferring the bitmap_free() call until after the notifier chain unregistration completes, ensuring proper synchronization and preventing the use-after-free condition. The issue affects specific Linux kernel versions identified by commit hashes and was published on May 30, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-36899 is primarily related to system stability and potential denial of service in environments relying on Linux-based embedded systems or servers that utilize GPIO interfaces extensively, such as industrial control systems, IoT devices, and specialized hardware platforms. Although the vulnerability does not directly expose sensitive data or allow privilege escalation, the use-after-free condition could lead to kernel crashes or unpredictable behavior in affected systems, potentially disrupting critical operations. This is particularly relevant for sectors like manufacturing, energy, transportation, and telecommunications, where Linux-based embedded devices are common. The inability for userspace to read the spurious GPIO events somewhat limits the exploitation scope, but the underlying race condition could be leveraged in complex attack chains or combined with other vulnerabilities to escalate impact. Organizations running custom or older Linux kernels with the affected GPIO character device code should be vigilant. The absence of known exploits reduces immediate risk, but the vulnerability's presence in the kernel code base necessitates prompt patching to maintain system integrity and availability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the latest patched versions that include the fix for CVE-2024-36899. Specifically, kernel maintainers and system integrators should ensure that the bitmap_free() call is deferred until after the notifier chain unregistration completes, as per the official patch. For embedded and IoT devices where kernel updates may be slower, applying backported patches or vendor-provided security updates is critical. Additionally, organizations should audit their use of GPIO interfaces and device drivers to identify systems potentially affected by this vulnerability. Implementing kernel lockdown features and restricting access to GPIO device files can reduce the attack surface. Monitoring kernel logs for abnormal GPIO events or device file closures may help detect attempts to trigger the race condition. Finally, incorporating this vulnerability into vulnerability management and patching workflows will ensure timely remediation and reduce exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.066Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe25f7
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:56:40 AM
Last updated: 8/6/2025, 1:43:37 PM
Views: 16
Related Threats
CVE-2025-8843: Heap-based Buffer Overflow in NASM Netwide Assember
MediumCVE-2025-8842: Use After Free in NASM Netwide Assember
MediumCVE-2025-8841: Unrestricted Upload in zlt2000 microservices-platform
MediumCVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.