CVE-2024-42302: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler()
AI Analysis
Technical Summary
CVE-2024-42302 is a use-after-free vulnerability in the Linux kernel affecting the PCI subsystem, specifically related to Downstream Port Containment (DPC) events and hot-removal of PCI devices. The vulnerability arises when the dpc_handler() function waits for readiness of the secondary bus below a Downstream Port where a DPC event occurred. It does so by polling the configuration space of the first child device on the secondary bus. If this child device is concurrently removed (hot-removed), the kernel attempts to access a freed pci_dev structure, leading to a use-after-free condition and a kernel oops (crash). This occurs because pci_bridge_wait_for_secondary_bus() does not hold a reference to the child device, which is necessary to prevent the device structure from being freed during concurrent operations. Prior to Linux kernel version 6.3, this function was only called during system resume phases where concurrent IRQ handling was not possible, so holding a reference was unnecessary. However, starting with version 6.3, pci_bridge_wait_for_secondary_bus() is also called during DPC events, which can run concurrently with PCI hotplug IRQ threads, exposing the race condition. The issue was introduced by commit 53b54ad074de, which backported this behavior to stable kernels from version 5.10 onwards, thus widening the affected kernel versions. The vulnerability can cause kernel crashes and potential denial of service due to the kernel oops triggered by accessing freed memory. No known exploits have been reported in the wild yet. The patch involves adding the missing reference acquisition to the child device to prevent premature freeing during concurrent access. The vulnerability affects Linux kernels from 5.10+ stable releases through 6.9.0 and likely beyond until patched.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with PCI devices that support DPC and that may be hot-removed or reset concurrently. This includes servers, workstations, and embedded systems in data centers, industrial control, and telecommunications infrastructure. The impact is mainly denial of service through kernel crashes, which can disrupt critical services and operations. In environments with high availability requirements, such as financial institutions, healthcare providers, and critical infrastructure operators, unexpected kernel panics can lead to service outages, data loss, and operational downtime. Although no direct remote code execution or privilege escalation is indicated, the denial of service could be leveraged as part of a broader attack chain. European organizations relying on Linux-based virtualization hosts, cloud infrastructure, or edge computing devices are particularly at risk if they use affected kernel versions and PCI devices subject to hot-removal or DPC events. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. The vulnerability also highlights the importance of kernel stability in PCI device management, which is critical in environments with dynamic hardware configurations.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Specifically, kernel versions post-6.3 with the fix for commit 53b54ad074de or later stable releases should be deployed. For environments where immediate kernel upgrades are not feasible, organizations should consider disabling PCI DPC events or hot-removal features if possible, to reduce the likelihood of concurrent access triggering the vulnerability. System administrators should audit their PCI device configurations and hotplug usage to identify systems at risk. Monitoring kernel logs for pci_bus_read_config_dword errors or kernel oops related to PCI devices can help detect exploitation attempts or crashes. Additionally, organizations should implement robust system recovery and failover mechanisms to minimize downtime from potential kernel panics. Coordination with Linux distribution vendors for timely patch deployment and testing in staging environments is critical. Finally, security teams should maintain awareness of any emerging exploits targeting this vulnerability and update incident response plans accordingly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-42302: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler()
AI-Powered Analysis
Technical Analysis
CVE-2024-42302 is a use-after-free vulnerability in the Linux kernel affecting the PCI subsystem, specifically related to Downstream Port Containment (DPC) events and hot-removal of PCI devices. The vulnerability arises when the dpc_handler() function waits for readiness of the secondary bus below a Downstream Port where a DPC event occurred. It does so by polling the configuration space of the first child device on the secondary bus. If this child device is concurrently removed (hot-removed), the kernel attempts to access a freed pci_dev structure, leading to a use-after-free condition and a kernel oops (crash). This occurs because pci_bridge_wait_for_secondary_bus() does not hold a reference to the child device, which is necessary to prevent the device structure from being freed during concurrent operations. Prior to Linux kernel version 6.3, this function was only called during system resume phases where concurrent IRQ handling was not possible, so holding a reference was unnecessary. However, starting with version 6.3, pci_bridge_wait_for_secondary_bus() is also called during DPC events, which can run concurrently with PCI hotplug IRQ threads, exposing the race condition. The issue was introduced by commit 53b54ad074de, which backported this behavior to stable kernels from version 5.10 onwards, thus widening the affected kernel versions. The vulnerability can cause kernel crashes and potential denial of service due to the kernel oops triggered by accessing freed memory. No known exploits have been reported in the wild yet. The patch involves adding the missing reference acquisition to the child device to prevent premature freeing during concurrent access. The vulnerability affects Linux kernels from 5.10+ stable releases through 6.9.0 and likely beyond until patched.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with PCI devices that support DPC and that may be hot-removed or reset concurrently. This includes servers, workstations, and embedded systems in data centers, industrial control, and telecommunications infrastructure. The impact is mainly denial of service through kernel crashes, which can disrupt critical services and operations. In environments with high availability requirements, such as financial institutions, healthcare providers, and critical infrastructure operators, unexpected kernel panics can lead to service outages, data loss, and operational downtime. Although no direct remote code execution or privilege escalation is indicated, the denial of service could be leveraged as part of a broader attack chain. European organizations relying on Linux-based virtualization hosts, cloud infrastructure, or edge computing devices are particularly at risk if they use affected kernel versions and PCI devices subject to hot-removal or DPC events. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. The vulnerability also highlights the importance of kernel stability in PCI device management, which is critical in environments with dynamic hardware configurations.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Specifically, kernel versions post-6.3 with the fix for commit 53b54ad074de or later stable releases should be deployed. For environments where immediate kernel upgrades are not feasible, organizations should consider disabling PCI DPC events or hot-removal features if possible, to reduce the likelihood of concurrent access triggering the vulnerability. System administrators should audit their PCI device configurations and hotplug usage to identify systems at risk. Monitoring kernel logs for pci_bus_read_config_dword errors or kernel oops related to PCI devices can help detect exploitation attempts or crashes. Additionally, organizations should implement robust system recovery and failover mechanisms to minimize downtime from potential kernel panics. Coordination with Linux distribution vendors for timely patch deployment and testing in staging environments is critical. Finally, security teams should maintain awareness of any emerging exploits targeting this vulnerability and update incident response plans accordingly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-30T07:40:12.272Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdccf6
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 8:56:00 PM
Last updated: 8/9/2025, 8:50:57 AM
Views: 13
Related Threats
CVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighCVE-2025-47444: CWE-201 Insertion of Sensitive Information Into Sent Data in Liquid Web GiveWP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.