CVE-2024-26944: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated---
AI Analysis
Technical Summary
CVE-2024-26944 is a use-after-free (UAF) vulnerability identified in the Btrfs (B-tree file system) implementation within the Linux kernel. The vulnerability arises specifically in the zoned block device handling code, within the function do_zone_finish(). The flaw is triggered during device replacement operations, where stale zone information from a previously removed btrfs_device structure is accessed after it has been freed. This leads to a use-after-free condition, which is detected by Kernel Address Sanitizer (KASAN) as an invalid read of freed memory. The vulnerability was reported by Shinichiro and involves a complex sequence of kernel threads and ioctl operations related to device replacement and scrub processes. The bug manifests when the cleaner kernel thread attempts to finish zones on a device that has already been freed by the device replacement finalization routines. The root cause is the improper handling of device lifecycle and zone information, resulting in references to freed memory. This can cause kernel crashes, memory corruption, or potentially arbitrary code execution in kernel context if exploited. The vulnerability affects Linux kernel versions around 6.8.0-rc5 and likely other versions using the affected Btrfs code. No public exploits are known at this time, and no CVSS score has been assigned yet. However, the vulnerability is serious due to its kernel-level impact and the critical role of Btrfs in storage management on Linux systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux servers with Btrfs file systems, which are increasingly used in enterprise environments for their advanced features like snapshots and checksumming. Exploitation could lead to denial of service via kernel panics or system crashes, impacting availability of critical services. More severe exploitation might allow privilege escalation or arbitrary code execution in kernel space, compromising confidentiality and integrity of data. This is particularly concerning for data centers, cloud providers, and industries with sensitive data such as finance, healthcare, and government institutions. The use-after-free in kernel code can be leveraged by attackers with local access or through crafted ioctl calls, potentially by malicious insiders or attackers who have gained initial foothold. Given the kernel-level nature, successful exploitation could undermine system security controls and lead to persistent compromise. The lack of known exploits reduces immediate risk, but the complexity of the vulnerability and its presence in a core subsystem means European organizations should prioritize patching to prevent future attacks.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address CVE-2024-26944 once available. Until patches are deployed, mitigating risk includes restricting access to systems running Btrfs to trusted users only, minimizing local user privileges, and monitoring for unusual kernel activity or crashes related to btrfs-cleaner or device replacement operations. Disabling or avoiding the use of device replacement features in Btrfs can reduce exposure. Security teams should audit systems for kernel versions and Btrfs usage, and implement kernel integrity monitoring to detect exploitation attempts. Additionally, employing kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments can help identify similar issues proactively. For critical infrastructure, consider isolating Btrfs storage nodes and enforcing strict access controls. Regular backups and disaster recovery plans are essential to mitigate potential data loss from crashes triggered by exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-26944: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26944 is a use-after-free (UAF) vulnerability identified in the Btrfs (B-tree file system) implementation within the Linux kernel. The vulnerability arises specifically in the zoned block device handling code, within the function do_zone_finish(). The flaw is triggered during device replacement operations, where stale zone information from a previously removed btrfs_device structure is accessed after it has been freed. This leads to a use-after-free condition, which is detected by Kernel Address Sanitizer (KASAN) as an invalid read of freed memory. The vulnerability was reported by Shinichiro and involves a complex sequence of kernel threads and ioctl operations related to device replacement and scrub processes. The bug manifests when the cleaner kernel thread attempts to finish zones on a device that has already been freed by the device replacement finalization routines. The root cause is the improper handling of device lifecycle and zone information, resulting in references to freed memory. This can cause kernel crashes, memory corruption, or potentially arbitrary code execution in kernel context if exploited. The vulnerability affects Linux kernel versions around 6.8.0-rc5 and likely other versions using the affected Btrfs code. No public exploits are known at this time, and no CVSS score has been assigned yet. However, the vulnerability is serious due to its kernel-level impact and the critical role of Btrfs in storage management on Linux systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux servers with Btrfs file systems, which are increasingly used in enterprise environments for their advanced features like snapshots and checksumming. Exploitation could lead to denial of service via kernel panics or system crashes, impacting availability of critical services. More severe exploitation might allow privilege escalation or arbitrary code execution in kernel space, compromising confidentiality and integrity of data. This is particularly concerning for data centers, cloud providers, and industries with sensitive data such as finance, healthcare, and government institutions. The use-after-free in kernel code can be leveraged by attackers with local access or through crafted ioctl calls, potentially by malicious insiders or attackers who have gained initial foothold. Given the kernel-level nature, successful exploitation could undermine system security controls and lead to persistent compromise. The lack of known exploits reduces immediate risk, but the complexity of the vulnerability and its presence in a core subsystem means European organizations should prioritize patching to prevent future attacks.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address CVE-2024-26944 once available. Until patches are deployed, mitigating risk includes restricting access to systems running Btrfs to trusted users only, minimizing local user privileges, and monitoring for unusual kernel activity or crashes related to btrfs-cleaner or device replacement operations. Disabling or avoiding the use of device replacement features in Btrfs can reduce exposure. Security teams should audit systems for kernel versions and Btrfs usage, and implement kernel integrity monitoring to detect exploitation attempts. Additionally, employing kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments can help identify similar issues proactively. For critical infrastructure, consider isolating Btrfs storage nodes and enforcing strict access controls. Regular backups and disaster recovery plans are essential to mitigate potential data loss from crashes triggered by exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.197Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeb018
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 6:42:59 AM
Last updated: 8/1/2025, 6:15:09 AM
Views: 12
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.