Upgrade Amazon-Linux:2023 kernel-libbpf-static to version 0:6.1.82-99.168.amzn2023 or higher. This issue was patched in ALAS2023-2024-784 .

CVE-2024-27404 in kernel-libbpf-static | CVE-2024-27404

Threat Intelligence

0.05% (18^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-AMZN2023-KERNELLIBBPFSTATIC-8688815
published6 Feb 2025
disclosed20 Jan 2025

Report a new vulnerability Found a mistake?

Introduced: 20 Jan 2025

NewCVE-2025-21655 (opens in a new tab) CWE-362 (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 kernel-libbpf-static to version 0:6.1.127-135.201.amzn2023 or higher.
This issue was patched in ALAS2023-2025-823.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-libbpf-static package and not the kernel-libbpf-static package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period

io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period.

Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.

Race Condition Affecting kernel-libbpf-static package, versions <0:6.1.127-135.201.amzn2023

Severity