CVE-2024-41051

HIGH EPSS 19.2%
Published Jul 29, 20241y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Jul 29, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemand_object_worker to finish when dropping object When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below. process A processs B process C process D cachefiles_ondemand_send_req() // send a read req X // wait for its completion // close ondemand fd cachefiles_ondemand_fd_release() // set object as CLOSE cachefiles_ondemand_daemon_read() // set object as REOPENING queue_work(fscache_wq, &info->ondemand_work) // close /dev/cachefiles cachefiles_daemon_release cachefiles_flush_reqs complete(&req->done) // read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker() When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
19.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥6.1.95  –  <6.1.100
linuxlinux_kernel*≥6.6.35  –  <6.6.41
linuxlinux_kernel*≥6.8  –  <6.9.10
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/12e009d60852f7bce0afc373ca0b320f14150418
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b26525b2183632f16a3a4108fe6a4bfa8afac6ed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d3179bae72b1b5e555ba839d6d9f40a350a4d78a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec9289369259d982e735a71437e32e6b4035290c
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/12e009d60852f7bce0afc373ca0b320f14150418
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b26525b2183632f16a3a4108fe6a4bfa8afac6ed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d3179bae72b1b5e555ba839d6d9f40a350a4d78a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec9289369259d982e735a71437e32e6b4035290c
    Patch