CVE-2024-58093 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
PCI/ASPM: Fix link state exit during switch upstream function removal
Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed.
That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after.
After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link.
That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports.
The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order.
On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone.
[kwilczynski: commit log]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability CVE-2024-58093 represents a critical use-after-free condition within the Linux kernel's PCI Advanced Switch Power Management (ASPM) subsystem, specifically affecting the handling of PCIe switch upstream function removal operations. This flaw occurs in the kernel's device management routines where the ASPM link state is improperly managed during hot-unplug scenarios, creating a window where memory references become invalid before the memory is actually freed. The issue manifests when PCIe switches with Multi-Function Device (MFD) configurations are involved, particularly when the upstream port contains a virtual P2P bridge function that serves as the primary function for the internal bus. The vulnerability stems from improper timing in the cleanup process of ASPM link structures, which are used to manage power states and link configurations in PCIe devices.
The technical implementation of this vulnerability involves a race condition within the PCI subsystem's link state management code where the kernel attempts to free ASPM parent link structures at inappropriate times during device removal sequences. Prior to the problematic commit, the system would delay ASPM link freeing until the final function on a bus was removed, which created a use-after-free scenario when sibling functions were removed before function 0. The subsequent fix attempted to address this by freeing link structures immediately upon any function removal, but this introduced a new problem where links were freed prematurely when non-zero functions were removed from switches with MFD upstream ports. This premature cleanup occurs because the system fails to recognize that downstream ports may still reference the parent link structure, leading to invalid memory access patterns and kernel page faults.
The operational impact of CVE-2024-58093 is severe and particularly pronounced during hot-unplug operations, where the kernel's PCI hot-plug subsystem removes devices in reverse order from the link bus. This vulnerability can result in kernel page faults (GPFs) that cause system instability, potential kernel panics, and complete system crashes during normal hardware removal procedures. The flaw affects systems running Linux kernels with PCIe switch support, particularly those managing complex multi-function device configurations where virtual P2P bridges are used to connect internal buses. The vulnerability is especially dangerous in server environments where hot-plug capabilities are frequently utilized for maintenance operations, as it can cause unexpected system shutdowns and data loss. The issue is classified under CWE-416, Use After Free, which represents a common and dangerous class of memory corruption vulnerabilities that can be exploited for privilege escalation or denial of service attacks.
Mitigation strategies for CVE-2024-58093 require immediate kernel updates to apply the corrected commit that ensures ASPM link structures are freed only when function 0 is removed, after all subordinate links have been properly cleaned up. System administrators should prioritize applying security patches from their respective Linux distributions, as the vulnerability is specifically addressed in kernel versions that incorporate the fix for the PCI/ASPM subsystem. Organizations should implement monitoring for kernel page faults and system stability issues during hot-unplug operations, as these may indicate exploitation attempts or unpatched systems. The fix aligns with ATT&CK technique T1059.003 for privilege escalation through kernel exploitation, making it a critical vulnerability for security teams to address immediately. Additionally, systems should be configured to avoid aggressive hot-unplug operations during peak usage periods, and comprehensive testing should be performed after patch application to ensure no regressions in PCIe device management functionality occur.