CVE-2024-43869: perf: Fix event leak upon exec and file release
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix event leak upon exec and file release
The perf pending task work is never waited upon the matching event
release. In the case of a child event, released via free_event()
directly, this can potentially result in a leaked event, such as in the
following scenario that doesn't even require a weak IRQ work
implementation to trigger:
schedule()
prepare_task_switch()
=======> <NMI>
perf_event_overflow()
event->pending_sigtrap = ...
irq_work_queue(&event->pending_irq)
<======= </NMI>
perf_event_task_sched_out()
event_sched_out()
event->pending_sigtrap = 0;
atomic_long_inc_not_zero(&event->refcount)
task_work_add(&event->pending_task)
finish_lock_switch()
=======> <IRQ>
perf_pending_irq()
//do nothing, rely on pending task work
<======= </IRQ>
begin_new_exec()
perf_event_exit_task()
perf_event_exit_event()
// If is child event
free_event()
WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)
// event is leaked
Similar scenarios can also happen with perf_event_remove_on_exec() or
simply against concurrent perf_event_release().
Fix this with synchonizing against the possibly remaining pending task
work while freeing the event, just like is done with remaining pending
IRQ work. This means that the pending task callback neither need nor
should hold a reference to the event, preventing it from ever beeing
freed.
Security readout for executives and security teams
Plain-English summary
CVE-2024-43869 is a Linux kernel perf subsystem bug where a performance event can be leaked during process exec or file release. The public record does not provide CVSS, a confirmed business impact, or evidence of active exploitation.
Executive priority
Treat as a kernel maintenance item until vendor severity clarifies impact. Prioritize normal patch cycles, with faster handling for shared Linux hosts or environments running untrusted workloads.
Technical view
The issue is a race around perf pending task work, pending IRQ work, event release, and child event freeing. In specific timing, reference handling can leave an event leaked. The kernel fix synchronizes freeing with remaining pending task work.
Likely exposure
Exposure is limited to systems running affected Linux kernel builds with the vulnerable perf code. Distribution package status may differ because vendors backport fixes, so kernel package advisories should be authoritative.
Exploitation context
The source describes an internal kernel race scenario involving NMI, IRQ, task work, exec, and perf event release. KEV is false, and the provided sources do not claim active exploitation or public weaponization.
Researcher notes
Evidence supports a perf event leak caused by insufficient synchronization during event freeing. The public bundle does not establish privilege impact, denial-of-service reliability, affected configurations beyond Linux, or exploit availability.
Mitigation direction
Update Linux kernels through the relevant distribution or vendor channel.
Check whether the installed kernel includes the referenced stable fixes.
Review Debian LTS guidance if using Debian LTS kernels.
Track vendor advisories for package-specific fixed versions.
Validation and detection
Inventory Linux kernel versions across servers, containers hosts, and appliances.
Map kernel packages to vendor advisories, not only upstream version numbers.
Confirm whether affected systems use kernel builds containing the stable perf fix.
Prioritize validation on multi-user or untrusted-workload Linux systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-43869 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.