VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-d3yu-1y9x-1bgf

Essentials
Severities (7)
References (16)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-d3yu-1y9x-1bgf
Aliases	CVE-2024-39508
Summary	In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. This ensures thread-safe manipulation of worker flags. Also, move `create_index` to avoid holes in the structure.
Status	Published
Exploitability	0.5
Weighted Severity	6.3
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-820

Missing Synchronization

System	Score	Found at
cvssv3	7.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39508.json
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-39508
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-39508
cvssv3.1	6.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc	Track	https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf
ssvc	Track	https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab
ssvc	Track	https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39508.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-39508
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39508
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1cbb0affb15470a9621267fe0a8568007553a4bf		https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf
2297480		https://bugzilla.redhat.com/show_bug.cgi?id=2297480
8a565304927fbd28c9f028c492b5c1714002cbab		https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab
ab702c3483db9046bab9f40306f1a28b22dbbdc0		https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0
RHSA-2024:9315		https://access.redhat.com/errata/RHSA-2024:9315
USN-6999-1		https://usn.ubuntu.com/6999-1/
USN-6999-2		https://usn.ubuntu.com/6999-2/
USN-7004-1		https://usn.ubuntu.com/7004-1/
USN-7005-1		https://usn.ubuntu.com/7005-1/
USN-7005-2		https://usn.ubuntu.com/7005-2/
USN-7008-1		https://usn.ubuntu.com/7008-1/
USN-7029-1		https://usn.ubuntu.com/7029-1/

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39508.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T17:06:48Z/ Found at https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T17:06:48Z/ Found at https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T17:06:48Z/ Found at https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0

Exploit Prediction Scoring System (EPSS)

Percentile	0.00595
EPSS Score	7e-05
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:51:00.487065+00:00	Debian Importer	Import	https://security-tracker.debian.org/tracker/data/json	38.6.0