CVE-2024-47747 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition
In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev
Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability CVE-2024-47747 represents a use-after-free condition in the Linux kernel's ether3 network driver that stems from a race condition during device removal operations. This issue affects the seeq ethernet driver implementation within the networking subsystem, specifically targeting the ether3_probe and ether3_remove functions. The flaw manifests when a timer callback function ether3_ledoff attempts to access device memory after the device has been freed, creating a classic use-after-free scenario that can lead to system instability or potential privilege escalation.
The technical root cause involves improper synchronization between the timer callback execution and device cleanup operations. During normal operation, the ether3_probe function initializes a timer with ether3_ledoff as its callback, binding it to the device timer structure. When the device removal process is initiated through ether3_remove, the system attempts to free the device memory structures including the netdev and associated private data. However, if the timer callback executes between the point where device cleanup begins and where memory is actually freed, it will attempt to access memory that has already been deallocated, resulting in undefined behavior and potential memory corruption.
This vulnerability directly maps to CWE-416, which describes the use of memory after it has been freed, and also relates to CWE-362, which covers race conditions that can lead to concurrent access violations. The operational impact extends beyond simple memory corruption as the race condition can be exploited to cause system crashes, data corruption, or potentially enable privilege escalation attacks depending on the specific system configuration and exploitation vector. The issue is particularly concerning in embedded systems or network appliances that rely heavily on the ether3 driver for network connectivity.
The mitigation strategy requires implementing proper timer cancellation before device cleanup operations commence. The fix involves ensuring that any active timers are explicitly canceled using the appropriate kernel timer APIs before proceeding with memory deallocation. This approach prevents the timer callback from accessing freed memory structures while maintaining the intended functionality of the driver. The solution aligns with ATT&CK technique T1059.001 for privilege escalation through kernel exploitation and addresses the broader category of kernel memory safety vulnerabilities. System administrators should prioritize applying the kernel patch that implements this fix, particularly in environments where the ether3 driver is actively used, as the vulnerability can be triggered through normal device removal sequences and may be exploitable in certain attack scenarios.