CVE-2024-47747: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.
AI Analysis
Technical Summary
CVE-2024-47747 is a use-after-free (UAF) vulnerability identified in the Linux kernel's ether3 network driver. The vulnerability arises from a race condition involving a timer callback function (ether3_ledoff) and the device removal routine (ether3_remove). Specifically, the ether3_probe function initializes a timer bound to a previous device's timer structure. When the timer is started, if the device or module is removed concurrently, ether3_remove executes cleanup operations including freeing the network device structure (free_netdev) and deallocating memory (kfree). However, the timer callback may still execute and attempt to access the freed device memory, leading to a use-after-free condition. This can cause undefined behavior such as kernel crashes, memory corruption, or potentially arbitrary code execution within kernel space. The root cause is the failure to cancel the timer before device cleanup, which the patch addresses by ensuring the timer is properly canceled in ether3_remove before freeing resources. The vulnerability affects specific Linux kernel versions identified by commit hashes, indicating it is present in recent kernel builds prior to the fix. No known exploits have been reported in the wild as of the publication date (October 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running vulnerable Linux kernel versions with the ether3 network driver enabled. The use-after-free condition can lead to kernel panics or system instability, impacting availability of critical infrastructure such as servers, network appliances, and embedded devices. In worst cases, attackers with local access could exploit this flaw to escalate privileges or execute arbitrary code in kernel context, compromising confidentiality and integrity of sensitive data. Given Linux's widespread use in European enterprise environments, cloud providers, and telecommunications infrastructure, exploitation could disrupt business operations and critical services. The impact is heightened in environments where kernel modules are dynamically loaded/unloaded or where network devices using the ether3 driver are common. Although no public exploits exist yet, the vulnerability's nature and kernel-level access requirements mean that skilled attackers or insiders could weaponize it, especially in targeted attacks against high-value European targets.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2024-47747. Since the vulnerability stems from a race condition involving timers during device removal, applying the official kernel patch that cancels timers before cleanup is essential. System administrators should audit their environments to identify systems running vulnerable kernel versions and the ether3 driver. For environments where immediate patching is not feasible, temporarily disabling or unloading the ether3 driver can reduce exposure. Additionally, organizations should implement strict access controls to limit local user privileges, as exploitation requires local code execution capabilities. Monitoring kernel logs for unusual timer or device removal errors may help detect attempted exploitation. Finally, integrating this vulnerability into vulnerability management and patching workflows ensures timely remediation and reduces risk exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-47747: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.
AI-Powered Analysis
Technical Analysis
CVE-2024-47747 is a use-after-free (UAF) vulnerability identified in the Linux kernel's ether3 network driver. The vulnerability arises from a race condition involving a timer callback function (ether3_ledoff) and the device removal routine (ether3_remove). Specifically, the ether3_probe function initializes a timer bound to a previous device's timer structure. When the timer is started, if the device or module is removed concurrently, ether3_remove executes cleanup operations including freeing the network device structure (free_netdev) and deallocating memory (kfree). However, the timer callback may still execute and attempt to access the freed device memory, leading to a use-after-free condition. This can cause undefined behavior such as kernel crashes, memory corruption, or potentially arbitrary code execution within kernel space. The root cause is the failure to cancel the timer before device cleanup, which the patch addresses by ensuring the timer is properly canceled in ether3_remove before freeing resources. The vulnerability affects specific Linux kernel versions identified by commit hashes, indicating it is present in recent kernel builds prior to the fix. No known exploits have been reported in the wild as of the publication date (October 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running vulnerable Linux kernel versions with the ether3 network driver enabled. The use-after-free condition can lead to kernel panics or system instability, impacting availability of critical infrastructure such as servers, network appliances, and embedded devices. In worst cases, attackers with local access could exploit this flaw to escalate privileges or execute arbitrary code in kernel context, compromising confidentiality and integrity of sensitive data. Given Linux's widespread use in European enterprise environments, cloud providers, and telecommunications infrastructure, exploitation could disrupt business operations and critical services. The impact is heightened in environments where kernel modules are dynamically loaded/unloaded or where network devices using the ether3 driver are common. Although no public exploits exist yet, the vulnerability's nature and kernel-level access requirements mean that skilled attackers or insiders could weaponize it, especially in targeted attacks against high-value European targets.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions that include the patch fixing CVE-2024-47747. Since the vulnerability stems from a race condition involving timers during device removal, applying the official kernel patch that cancels timers before cleanup is essential. System administrators should audit their environments to identify systems running vulnerable kernel versions and the ether3 driver. For environments where immediate patching is not feasible, temporarily disabling or unloading the ether3 driver can reduce exposure. Additionally, organizations should implement strict access controls to limit local user privileges, as exploitation requires local code execution capabilities. Monitoring kernel logs for unusual timer or device removal errors may help detect attempted exploitation. Finally, integrating this vulnerability into vulnerability management and patching workflows ensures timely remediation and reduces risk exposure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.960Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe06c6
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 8:25:33 PM
Last updated: 8/15/2025, 12:31:09 PM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.