High severity7.8NVD Advisory· Published Dec 27, 2024· Updated Jun 17, 2026
CVE-2024-56561
CVE-2024-56561
Description
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy()
pci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI domain ID, but there are two issues:
- 'epc->dev' is passed to pci_bus_release_domain_nr() which was already freed by device_unregister(), leading to a use-after-free issue.
- Domain ID corresponds to the EPC device parent, so passing 'epc->dev' is also wrong.
Fix these issues by passing 'epc->dev.parent' to pci_bus_release_domain_nr() and also do it before device_unregister().
[mani: reworded subject and description]
Affected products
4- osv-coords2 versionspkg:deb/ubuntu/linux-lowlatency@6.11.0-1011.12?arch=source&distro=oracularpkg:deb/ubuntu/linux-raspi@6.11.0-1010.10?arch=source&distro=oracular
< 6.11.0-1011.12+ 1 more
- (no CPE)range: < 6.11.0-1011.12
- (no CPE)range: < 6.11.0-1010.10
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.