Cyber Resilience

CVE-2024-56764

High

Published: 06 January 2025

Published
06 January 2025
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56764 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2024-56764 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ublk driver, which handles user-space block devices. The issue arises in the ublk_abort_requests() function, called during io_uring context exit or timeout handling to abort inflight requests by grabbing a reference to the gendisk. If add_disk() fails during device setup, the gendisk may already be freed, leading to a use-after-free when the function attempts to acquire its reference. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this flaw by triggering a scenario where add_disk() fails in a ublk device setup, followed by ublk_abort_requests() execution. Successful exploitation could result in high-impact consequences, including arbitrary code execution, data corruption, or kernel crashes, potentially enabling privilege escalation from a low-privilege user context.

Mitigation is addressed in upstream Linux kernel patches available in the stable tree. The fixing commits—75cd4005da5492129917a4a4ee45e81660556104 and 7d680f2f76a3417fdfc3946da7471e81464f7b41—detach the gendisk from the ublk device if add_disk() fails, preventing the use-after-free. Security practitioners should apply these patches to affected kernel versions supporting the ublk driver and monitor for updates in their distributions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ublk: detach gendisk from ublk device if add_disk() fails Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling…

more

timeout. If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests(). Fixes the bug by detaching gendisk from ublk device if add_disk() fails.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in ublk driver directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 6.7 — 6.12.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and timely remediation of kernel flaws like the use-after-free in the ublk driver through application of available upstream patches.

prevent

Implements memory safeguards such as non-executable memory regions and stack protections that mitigate exploitation of the use-after-free vulnerability even if unpatched.

prevent

Restricts system functionality by disabling unnecessary kernel drivers like ublk, preventing exposure to the vulnerability for systems not requiring user-space block devices.

References