LiveActive security incident?Get immediate response
CVE Record

CVE-2024-39292: um: Add winch to winch_handlers before registering winch IRQ

In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel race condition in the "um" code path. Under unlucky timing, an interrupt can be registered before its handler is tracked, leaving cleanup code to touch an object that is already being freed. The documented impact is a kernel panic, so the business concern is availability, not confirmed data theft or privilege escalation.

Executive priority

Schedule normal-to-expedited kernel maintenance for exposed Linux systems, especially where availability matters. There is no cited evidence of active exploitation, but kernel panics can still disrupt services. Prioritize based on affected kernel presence and vendor patch availability.

Technical view

The issue concerns winch IRQ registration ordering. An interrupt may occur before the winch object is added to winch_handlers. register_winch_irq() can then leave a soon-to-be-freed or already-freed object on that list, causing a later panic in winch_cleanup(). The kernel fix adds the handler before IRQ registration and rolls back on request failure.

Likely exposure

Exposure appears limited to Linux systems using affected kernel versions and the relevant "um" functionality. The source bundle lists Linux as affected across multiple kernel lines, but does not provide CPEs, package names, or deployment conditions. Confirm exposure through kernel version, distribution backports, and whether User Mode Linux-related code is in use.

Exploitation context

The bundle does not identify active exploitation, public weaponization, or KEV listing. The described failure mode is a timing race that can lead to a panic. Treat this as an availability risk unless vendor advisories add stronger impact details.

Researcher notes

The key detail is ordering: winch_handlers must be updated before registering the winch IRQ, with rollback if um_request_irq() fails. Sources describe a race-driven use-after-free style cleanup failure, but provide no CVSS, CWE, exploitability assessment, or broader impact claims.

Mitigation direction

  • Apply vendor Linux kernel updates that include the referenced stable fixes.
  • Check distribution advisories, including Debian LTS, for patched package versions.
  • Prioritize systems using affected kernel lines or User Mode Linux functionality.
  • Avoid direct deployment from upstream commits unless that matches your kernel maintenance process.

Validation and detection

  • Inventory running kernel versions across Linux hosts and images.
  • Map each system to vendor advisories or stable commits referenced for this CVE.
  • Confirm patched kernels are installed and active after reboot.
  • Review logs for kernel panic events around affected UML or winch handling paths.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-39292 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033, 42a359e31a0e438b5b978a8f0fecdbd3c86bb033unaffected
LinuxLinux2.6.23, 0, 4.19.316, 5.4.278, 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.9.4, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.