LiveActive security incident?Get immediate response
CVE Record

CVE-2024-42302: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal

In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred. To do so, it polls the config space of the first child device on the secondary bus. If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device. Before v6.3, the function was only called on resume from system sleep or on runtime resume. Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently. (On resume from system sleep, IRQs are not enabled until after the resume_noirq phase. And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently. The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler()

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel flaw can crash a system when a PCIe Downstream Port Containment event happens at the same time as PCIe hot-removal. The documented impact is a kernel oops from use-after-free, so business urgency is mainly availability for systems using affected kernels and PCIe hot-plug or fault recovery paths.

Executive priority

Treat this as a targeted availability risk, not an internet-wide emergency based on current evidence. Patch during the next appropriate kernel maintenance window, with faster action for critical systems using hot-pluggable PCIe or vendor appliances that list this CVE.

Technical view

The bug is in pci_bridge_wait_for_secondary_bus(), called from DPC recovery since v6.3 and backported to v5.10+ stable. It polls a child pci_dev without holding a reference, allowing concurrent pciehp removal to free the object while dpc_handler() still uses it.

Likely exposure

Exposure is most likely on Linux systems running affected v5.10+ stable or v6.3+ kernel lines with PCIe DPC and hot-removal capability. Servers, appliances, and industrial systems with hot-pluggable PCIe hardware deserve priority review. The bundle does not identify user-space applications as directly affected.

Exploitation context

The sources describe a concurrency race causing a kernel oops during DPC recovery and hot-removal. They do not provide evidence of active exploitation, public weaponization, KEV listing, remote exploitation, or privilege escalation. Exploitability beyond causing availability impact is not established in the provided evidence.

Researcher notes

The key root cause is missing pci_dev reference acquisition in a DPC recovery path introduced by commit 53b54ad074de and backported to v5.10+ stable. The provided stack trace shows pci_bus_read_config_dword through dpc_handler. No CVSS, CWE, or confirmed exploit status is included.

Mitigation direction

  • Update to a vendor kernel build that includes the referenced PCI/DPC fix.
  • Prioritize systems with PCIe hot-plug, DPC support, or removable PCIe devices.
  • Check distribution and appliance vendor advisories for fixed package versions.
  • Avoid nonessential PCIe hot-removal on affected systems until patched where operationally feasible.
  • Monitor kernel logs for DPC, pciehp, and kernel oops events.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded systems.
  • Check whether running kernels include the CVE-2024-42302 stable fix commits.
  • Review vendor advisories for affected and fixed versions for each platform.
  • Identify hosts with PCIe DPC and hot-plug hardware exposure.
  • Search kernel logs for pci_bridge_wait_for_secondary_bus, dpc_handler, and pciehp oops traces.
Prepared
Confidence
high
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-42302 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd0292124bb5787a2f1ab1316509e801ca89c10fb, ffe2318405e605f1b3985ce188eff69e6d1d1baa, 189f856e76f5463f59efb5fc18dcc1692d04c41a, 53b54ad074de1896f8b021615f65b27f557ce874, 53b54ad074de1896f8b021615f65b27f557ce874, 53b54ad074de1896f8b021615f65b27f557ce874, 0081032082b5b45ca902b3c3d6986cb5cca69ff2, 5.10.176, 5.15.104, 6.1.16, 6.2.3unaffected
LinuxLinux6.3, 0, 5.10.224, 5.15.165, 6.1.103, 6.6.44, 6.10.3, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.