LiveActive security incident?Get immediate response
CVE Record

CVE-2024-36899: gpiolib: cdev: Fix use after free in lineinfo_changed_notify

In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-36899 is a Linux kernel race condition in GPIO character-device handling. During device close, memory tracking watched GPIO lines can be freed before a notifier is fully unregistered, causing a use-after-free. The published description says the observed side effect is an unnecessary userspace event that cannot be read because the device is closing.

Executive priority

Treat as a planned kernel maintenance item unless your environment heavily uses GPIO in embedded or industrial devices. There is no cited evidence of active exploitation, but kernel memory-safety bugs should not remain untracked. Prioritize vendor-supported updates for affected hardware-control systems.

Technical view

The flaw is in gpiolib cdev lineinfo_changed_notify. gpio_chrdev_release() frees cdev->watched_lines while blocking_notifier_chain_unregister() can wait on a rwsem. A concurrent GPIO line release can call lineinfo_changed_notify() through the notifier chain and test the freed bitmap. Kernel stable commits move bitmap_free() after notifier unregistration.

Likely exposure

Linux systems using affected kernel lines and GPIO character devices are the relevant exposure. This is most likely to matter on embedded, industrial, or hardware-control systems where GPIO is actively used. Exact exposure depends on distribution kernel backports and vendor advisories.

Exploitation context

No active exploitation is indicated in the provided sources, and the CVE is not listed as KEV. The source description frames the known side effect as a stray GPIO line event during close, not a demonstrated privilege escalation or remote attack.

Researcher notes

Evidence is limited to the kernel CVE description, stable commits, and vendor advisories. No CVSS, CWE, or exploit status is provided. The fix ordering is clear: unregister the notifier before freeing watched_lines. Validate against exact downstream kernel backports rather than upstream version numbers alone.

Mitigation direction

  • Update Linux kernels using vendor packages or stable kernels containing the referenced fixes.
  • Check Debian LTS advisories if running affected Debian kernel packages.
  • Check Siemens SSA-265688 for Siemens product-specific guidance.
  • Prioritize embedded and industrial systems using GPIO character devices.
  • If patching is delayed, review access to GPIO device files and vendor hardening guidance.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded systems.
  • Map systems that expose or use GPIO character devices.
  • Confirm vendor kernel packages include the stable fix commits.
  • Review Debian and Siemens advisories for affected product or package status.
  • Document exceptions where kernel provenance or backport status is unclear.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-36899 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux51c1064e82e77b39a49889287ca50709303e2f26, 51c1064e82e77b39a49889287ca50709303e2f26, 51c1064e82e77b39a49889287ca50709303e2f26, 51c1064e82e77b39a49889287ca50709303e2f26, 51c1064e82e77b39a49889287ca50709303e2f26, 51c1064e82e77b39a49889287ca50709303e2f26unaffected
LinuxLinux5.7, 0, 5.10.234, 5.15.177, 6.1.127, 6.6.31, 6.8.10, 6.9affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.