cve/2024/CVE-2024-35887.md

### [CVE-2024-35887](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35887)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=1da177e4c3f4%3C%2074204bf9050f%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:ax25: fix use-after-free bugs caused by ax25_ds_del_timerWhen the ax25 device is detaching, the ax25_dev_device_down()calls ax25_ds_del_timer() to cleanup the slave_timer. Whenthe timer handler is running, the ax25_ds_del_timer() thatcalls del_timer() in it will return directly. As a result,the use-after-free bugs could happen, one of the scenariosis shown below:      (Thread 1)          |      (Thread 2)                          | ax25_ds_timeout()ax25_dev_device_down()    |  ax25_ds_del_timer()     |    del_timer()           |  ax25_dev_put() //FREE   |                          |  ax25_dev-> //USEIn order to mitigate bugs, when the device is detaching, usetimer_shutdown_sync() to stop the timer.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/bygregonline/devsec-fastapi-report
Update CVE sources 2025-09-29 16:08 2025-09-29 16:08:36 +00:00			`### [CVE-2024-35887](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35887)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=1da177e4c3f4%3C%2074204bf9050f%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:ax25: fix use-after-free bugs caused by ax25_ds_del_timerWhen the ax25 device is detaching, the ax25_dev_device_down()calls ax25_ds_del_timer() to cleanup the slave_timer. Whenthe timer handler is running, the ax25_ds_del_timer() thatcalls del_timer() in it will return directly. As a result,the use-after-free bugs could happen, one of the scenariosis shown below: (Thread 1) \| (Thread 2) \| ax25_ds_timeout()ax25_dev_device_down() \| ax25_ds_del_timer() \| del_timer() \| ax25_dev_put() //FREE \| \| ax25_dev-> //USEIn order to mitigate bugs, when the device is detaching, usetimer_shutdown_sync() to stop the timer.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/bygregonline/devsec-fastapi-report`