CVE-2024-26868: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfs: fix panic when nfs4_ff_layout_prepare_ds() fails We've been seeing the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Inspecting the core with drgn I was able to pull this >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 >>> prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have if (IS_ERR_OR_NULL(mirror_ds)) to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.
AI Analysis
Technical Summary
CVE-2024-26868 is a vulnerability in the Linux kernel's NFS (Network File System) client implementation, specifically within the nfs_layout_flexfiles module that handles pNFS (parallel NFS) layout operations. The issue arises from improper error handling in the function ff_layout_cancel_io(), which is called during cleanup when nfs4_ff_layout_prepare_ds() fails to initialize a mirror device structure (mirror_ds). The vulnerability manifests as a NULL pointer dereference leading to a kernel panic, causing a denial of service (DoS) condition. The root cause is inconsistent validation of the mirror_ds pointer: while most code paths use the IS_ERR_OR_NULL() macro to safely check for error or NULL pointers, ff_layout_cancel_io() only checks for NULL, missing error pointer cases. This leads to an invalid dereference when mirror_ds is an error pointer, crashing the kernel. The stack trace shows the panic occurs at ff_layout_cancel_io+0x3a, triggered by NFS write operations that invoke pNFS layout handling. The vulnerability affects Linux kernel versions containing the vulnerable commit (indicated by the affected commit hashes) prior to the patch. Although no known exploits are reported in the wild, the bug can cause production systems using NFSv4 with pNFS layouts to crash unexpectedly under certain error conditions. This is particularly relevant for environments relying on NFS for critical storage, such as enterprise file servers and cloud infrastructure nodes. The fix involves updating ff_layout_cancel_io() to use IS_ERR_OR_NULL() checks consistently, preventing kernel panics by safely handling error pointers during cleanup. This vulnerability does not require user authentication but does require triggering specific NFS operations that cause the error path to be exercised. No CVSS score is assigned yet, but the impact is primarily denial of service via kernel panic.
Potential Impact
For European organizations, the impact of CVE-2024-26868 can be significant in environments where Linux servers use NFSv4 with pNFS layouts for critical storage or file sharing. The vulnerability can cause unexpected kernel panics leading to system crashes and service outages. This can disrupt business operations, especially in sectors relying on high availability such as finance, telecommunications, healthcare, and government services. Organizations running Linux-based storage servers, virtualization hosts, or cloud infrastructure nodes that mount NFS shares with pNFS enabled are at risk. The denial of service could lead to data unavailability and operational downtime, potentially affecting compliance with data availability regulations such as GDPR. Although the vulnerability does not directly lead to data breaches or privilege escalation, the resulting outages could impact business continuity and service level agreements. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent exploitation or accidental crashes in production systems.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the error handling in the nfs_layout_flexfiles module as soon as they become available from trusted Linux distributions or upstream sources. 2. If immediate patching is not possible, consider disabling pNFS layouts on NFS clients or servers to avoid triggering the vulnerable code paths. 3. Monitor kernel logs and system stability closely for signs of NFS-related panics or crashes, especially on systems heavily using NFSv4 with pNFS. 4. Implement robust system monitoring and automated reboot mechanisms to reduce downtime impact if a panic occurs. 5. Review and test NFS client configurations to ensure error handling paths are exercised in staging environments before production deployment. 6. Coordinate with storage and infrastructure teams to validate that NFS shares do not use vulnerable layout features or to plan maintenance windows for patch deployment. 7. Maintain up-to-date backups and disaster recovery plans to mitigate potential data unavailability during outages caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26868: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfs: fix panic when nfs4_ff_layout_prepare_ds() fails We've been seeing the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Inspecting the core with drgn I was able to pull this >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 >>> prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have if (IS_ERR_OR_NULL(mirror_ds)) to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.
AI-Powered Analysis
Technical Analysis
CVE-2024-26868 is a vulnerability in the Linux kernel's NFS (Network File System) client implementation, specifically within the nfs_layout_flexfiles module that handles pNFS (parallel NFS) layout operations. The issue arises from improper error handling in the function ff_layout_cancel_io(), which is called during cleanup when nfs4_ff_layout_prepare_ds() fails to initialize a mirror device structure (mirror_ds). The vulnerability manifests as a NULL pointer dereference leading to a kernel panic, causing a denial of service (DoS) condition. The root cause is inconsistent validation of the mirror_ds pointer: while most code paths use the IS_ERR_OR_NULL() macro to safely check for error or NULL pointers, ff_layout_cancel_io() only checks for NULL, missing error pointer cases. This leads to an invalid dereference when mirror_ds is an error pointer, crashing the kernel. The stack trace shows the panic occurs at ff_layout_cancel_io+0x3a, triggered by NFS write operations that invoke pNFS layout handling. The vulnerability affects Linux kernel versions containing the vulnerable commit (indicated by the affected commit hashes) prior to the patch. Although no known exploits are reported in the wild, the bug can cause production systems using NFSv4 with pNFS layouts to crash unexpectedly under certain error conditions. This is particularly relevant for environments relying on NFS for critical storage, such as enterprise file servers and cloud infrastructure nodes. The fix involves updating ff_layout_cancel_io() to use IS_ERR_OR_NULL() checks consistently, preventing kernel panics by safely handling error pointers during cleanup. This vulnerability does not require user authentication but does require triggering specific NFS operations that cause the error path to be exercised. No CVSS score is assigned yet, but the impact is primarily denial of service via kernel panic.
Potential Impact
For European organizations, the impact of CVE-2024-26868 can be significant in environments where Linux servers use NFSv4 with pNFS layouts for critical storage or file sharing. The vulnerability can cause unexpected kernel panics leading to system crashes and service outages. This can disrupt business operations, especially in sectors relying on high availability such as finance, telecommunications, healthcare, and government services. Organizations running Linux-based storage servers, virtualization hosts, or cloud infrastructure nodes that mount NFS shares with pNFS enabled are at risk. The denial of service could lead to data unavailability and operational downtime, potentially affecting compliance with data availability regulations such as GDPR. Although the vulnerability does not directly lead to data breaches or privilege escalation, the resulting outages could impact business continuity and service level agreements. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent exploitation or accidental crashes in production systems.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the error handling in the nfs_layout_flexfiles module as soon as they become available from trusted Linux distributions or upstream sources. 2. If immediate patching is not possible, consider disabling pNFS layouts on NFS clients or servers to avoid triggering the vulnerable code paths. 3. Monitor kernel logs and system stability closely for signs of NFS-related panics or crashes, especially on systems heavily using NFSv4 with pNFS. 4. Implement robust system monitoring and automated reboot mechanisms to reduce downtime impact if a panic occurs. 5. Review and test NFS client configurations to ensure error handling paths are exercised in staging environments before production deployment. 6. Coordinate with storage and infrastructure teams to validate that NFS shares do not use vulnerable layout features or to plan maintenance windows for patch deployment. 7. Maintain up-to-date backups and disaster recovery plans to mitigate potential data unavailability during outages caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.184Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3df6
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:40:41 PM
Last updated: 7/25/2025, 8:28:22 AM
Views: 8
Related Threats
CVE-2025-8813: Open Redirect in atjiu pybbs
MediumCVE-2025-8812: Cross Site Scripting in atjiu pybbs
MediumCVE-2025-8811: SQL Injection in code-projects Simple Art Gallery
MediumCVE-2025-8810: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8809: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.