CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: cdev: Fix use after free in lineinfo_changed_notify
The use-after-free issue occurs as follows: when the GPIO chip device file
is being closed by invoking gpio_chrdev_release(), watched_lines is freed
by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
chain failed due to waiting write rwsem. Additionally, one of the GPIO
chip's lines is also in the release process and holds the notifier chain's
read rwsem. Consequently, a race condition leads to the use-after-free of
watched_lines.
Here is the typical stack when issue happened:
[free]
gpio_chrdev_release()
--> bitmap_free(cdev->watched_lines) <-- freed
--> blocking_notifier_chain_unregister()
--> down_write(&nh->rwsem) <-- waiting rwsem
--> __down_write_common()
--> rwsem_down_write_slowpath()
--> schedule_preempt_disabled()
--> schedule()
[use]
st54spi_gpio_dev_release()
--> gpio_free()
--> gpiod_free()
--> gpiod_free_commit()
--> gpiod_line_state_notify()
--> blocking_notifier_call_chain()
--> down_read(&nh->rwsem); <-- held rwsem
--> notifier_call_chain()
--> lineinfo_changed_notify()
--> test_bit(xxxx, cdev->watched_lines) <-- use after free
The side effect of the use-after-free issue is that a GPIO line event is
being generated for userspace where it shouldn't. However, since the chrdev
is being closed, userspace won't have the chance to read that event anyway.
To fix the issue, call the bitmap_free() function after the unregistration
of lineinfo_changed_nb notifier chain.
Security readout for executives and security teams
Plain-English summary
CVE-2024-36899 is a Linux kernel race condition in GPIO character-device handling. During device close, memory tracking watched GPIO lines can be freed before a notifier is fully unregistered, causing a use-after-free. The published description says the observed side effect is an unnecessary userspace event that cannot be read because the device is closing.
Executive priority
Treat as a planned kernel maintenance item unless your environment heavily uses GPIO in embedded or industrial devices. There is no cited evidence of active exploitation, but kernel memory-safety bugs should not remain untracked. Prioritize vendor-supported updates for affected hardware-control systems.
Technical view
The flaw is in gpiolib cdev lineinfo_changed_notify. gpio_chrdev_release() frees cdev->watched_lines while blocking_notifier_chain_unregister() can wait on a rwsem. A concurrent GPIO line release can call lineinfo_changed_notify() through the notifier chain and test the freed bitmap. Kernel stable commits move bitmap_free() after notifier unregistration.
Likely exposure
Linux systems using affected kernel lines and GPIO character devices are the relevant exposure. This is most likely to matter on embedded, industrial, or hardware-control systems where GPIO is actively used. Exact exposure depends on distribution kernel backports and vendor advisories.
Exploitation context
No active exploitation is indicated in the provided sources, and the CVE is not listed as KEV. The source description frames the known side effect as a stray GPIO line event during close, not a demonstrated privilege escalation or remote attack.
Researcher notes
Evidence is limited to the kernel CVE description, stable commits, and vendor advisories. No CVSS, CWE, or exploit status is provided. The fix ordering is clear: unregister the notifier before freeing watched_lines. Validate against exact downstream kernel backports rather than upstream version numbers alone.
Mitigation direction
Update Linux kernels using vendor packages or stable kernels containing the referenced fixes.
Check Debian LTS advisories if running affected Debian kernel packages.
Check Siemens SSA-265688 for Siemens product-specific guidance.
Prioritize embedded and industrial systems using GPIO character devices.
If patching is delayed, review access to GPIO device files and vendor hardening guidance.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Map systems that expose or use GPIO character devices.
Confirm vendor kernel packages include the stable fix commits.
Review Debian and Siemens advisories for affected product or package status.
Document exceptions where kernel provenance or backport status is unclear.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-36899 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.