CVE-2024-49889

HIGH EPSS 16.9%
Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Oct 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid use-after-free in ext4_ext_show_leaf() In ext4_find_extent(), path may be freed by error or be reallocated, so using a previously saved *ppath may have been freed and thus may trigger use-after-free, as follows: ext4_split_extent path = *ppath; ext4_split_extent_at(ppath) path = ext4_find_extent(ppath) ext4_split_extent_at(ppath) // ext4_find_extent fails to free path // but zeroout succeeds ext4_ext_show_leaf(inode, path) eh = path[depth].p_hdr // path use-after-free !!! Similar to ext4_split_extent_at(), we use *ppath directly as an input to ext4_ext_show_leaf(). Fix a spelling error by the way. Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly. This issue is triggered only when EXT_DEBUG is defined and therefore does not affect functionality.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
16.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel* <5.10.227
linuxlinux_kernel*≥5.11  –  <5.15.168
linuxlinux_kernel*≥5.16  –  <6.1.113
linuxlinux_kernel*≥6.2  –  <6.6.55
linuxlinux_kernel*≥6.7  –  <6.10.14
linuxlinux_kernel*≥6.11  –  <6.11.3

References 11

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-355557.html
  • git.kernel.org https://git.kernel.org/stable/c/2eba3b0cc5b8de624918d21f32b5b8db59a90b39
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/34b2096380ba475771971a778a478661a791aa15
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4999fed877bb64e3e7f9ab9996de2ca983c41928
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e2524ba2ca5f54bdbb9e5153bea00421ef653f5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b114f2cc7dd5d36729d040b68432fbd0f0a8868
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b0cb4561fc4284d04e69c8a66c8504928ab2484e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d483c7cc1796bd6a80e7b3a8fd494996260f6b67
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2eba3b0cc5b8de624918d21f32b5b8db59a90b39
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/34b2096380ba475771971a778a478661a791aa15
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4999fed877bb64e3e7f9ab9996de2ca983c41928
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e2524ba2ca5f54bdbb9e5153bea00421ef653f5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b114f2cc7dd5d36729d040b68432fbd0f0a8868
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b0cb4561fc4284d04e69c8a66c8504928ab2484e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d483c7cc1796bd6a80e7b3a8fd494996260f6b67
    Patch