CVE-2024-26958: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfs: fix UAF in direct writes In production we have been hitting the following warning consistently ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0 ? report_bug+0xcc/0x150 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x16/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] process_one_work+0x12f/0x4a0 worker_thread+0x14e/0x3b0 ? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120 ? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 This is because we're completing the nfs_direct_request twice in a row. The source of this is when we have our commit requests to submit, we process them and send them off, and then in the completion path for the commit requests we have if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); However since we're submitting asynchronous requests we sometimes have one that completes before we submit the next one, so we end up calling complete on the nfs_direct_request twice. The only other place we use nfs_generic_commit_list() is in __nfs_commit_inode, which wraps this call in a nfs_commit_begin(); nfs_commit_end(); Which is a common pattern for this style of completion handling, one that is also repeated in the direct code with get_dreq()/put_dreq() calls around where we process events as well as in the completion paths. Fix this by using the same pattern for the commit requests. Before with my 200 node rocksdb stress running this warning would pop every 10ish minutes. With my patch the stress test has been running for several hours without popping.
AI Analysis
Technical Summary
CVE-2024-26958 is a use-after-free (UAF) vulnerability in the Linux kernel's NFS (Network File System) subsystem, specifically related to direct write operations. The vulnerability arises from improper handling of commit requests in the NFS direct write code path. The root cause is that the nfs_direct_request object is completed twice due to asynchronous commit requests completing out of order. This leads to a refcount underflow and use-after-free condition, as indicated by kernel warnings referencing refcount_warn_saturate and subsequent invalid operations. The issue occurs because the completion path for commit requests does not properly synchronize the lifecycle of the nfs_direct_request objects, resulting in double completion calls. The fix involves applying a commit handling pattern consistent with other NFS commit operations, using nfs_commit_begin() and nfs_commit_end() to correctly manage reference counts and prevent premature freeing. This vulnerability was reproducible under stress testing with RocksDB workloads on large node clusters, causing kernel warnings approximately every 10 minutes prior to the patch. Post-fix, the stress tests ran for several hours without triggering the warning, indicating the fix's effectiveness. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the specified commit hash af7cf057933f01dc7f33ddfb5e436ad598ed17ad, which corresponds to recent kernel releases incorporating the patch.
Potential Impact
For European organizations relying on Linux-based systems with NFS for file sharing and storage, this vulnerability poses a risk of kernel instability and potential denial of service (DoS) due to use-after-free conditions causing kernel warnings and possible crashes. While no direct remote code execution or privilege escalation is indicated, the UAF could be leveraged in complex attack chains to compromise system integrity or availability. Organizations with large-scale distributed storage environments, such as data centers, research institutions, and enterprises using NFS for high-performance computing or cloud infrastructure, are particularly at risk. The instability could lead to service interruptions, data access delays, and increased operational costs due to system reboots or troubleshooting. Given the asynchronous nature of the bug, it may be triggered under heavy I/O workloads, making high-traffic servers more vulnerable. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to maintain system reliability and security posture.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-26958 as soon as it becomes available in your distribution's kernel updates. Monitor vendor advisories for updated kernel packages. 2. For environments where immediate patching is not feasible, consider temporarily disabling or limiting NFS direct write operations if possible, to reduce exposure to the vulnerable code path. 3. Implement robust monitoring for kernel warnings related to refcount underflows or nfs_direct_write errors to detect potential exploitation or instability early. 4. Conduct stress testing in controlled environments to verify the stability of patched kernels before deployment in production. 5. Ensure that backup and recovery procedures are up to date to mitigate potential data availability issues caused by system crashes. 6. Engage with Linux distribution security teams to confirm patch availability and coordinate timely updates. 7. Review and harden NFS configurations, including access controls and network segmentation, to reduce the attack surface and limit exposure to untrusted clients.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26958: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfs: fix UAF in direct writes In production we have been hitting the following warning consistently ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0 ? report_bug+0xcc/0x150 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x16/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] process_one_work+0x12f/0x4a0 worker_thread+0x14e/0x3b0 ? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120 ? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 This is because we're completing the nfs_direct_request twice in a row. The source of this is when we have our commit requests to submit, we process them and send them off, and then in the completion path for the commit requests we have if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); However since we're submitting asynchronous requests we sometimes have one that completes before we submit the next one, so we end up calling complete on the nfs_direct_request twice. The only other place we use nfs_generic_commit_list() is in __nfs_commit_inode, which wraps this call in a nfs_commit_begin(); nfs_commit_end(); Which is a common pattern for this style of completion handling, one that is also repeated in the direct code with get_dreq()/put_dreq() calls around where we process events as well as in the completion paths. Fix this by using the same pattern for the commit requests. Before with my 200 node rocksdb stress running this warning would pop every 10ish minutes. With my patch the stress test has been running for several hours without popping.
AI-Powered Analysis
Technical Analysis
CVE-2024-26958 is a use-after-free (UAF) vulnerability in the Linux kernel's NFS (Network File System) subsystem, specifically related to direct write operations. The vulnerability arises from improper handling of commit requests in the NFS direct write code path. The root cause is that the nfs_direct_request object is completed twice due to asynchronous commit requests completing out of order. This leads to a refcount underflow and use-after-free condition, as indicated by kernel warnings referencing refcount_warn_saturate and subsequent invalid operations. The issue occurs because the completion path for commit requests does not properly synchronize the lifecycle of the nfs_direct_request objects, resulting in double completion calls. The fix involves applying a commit handling pattern consistent with other NFS commit operations, using nfs_commit_begin() and nfs_commit_end() to correctly manage reference counts and prevent premature freeing. This vulnerability was reproducible under stress testing with RocksDB workloads on large node clusters, causing kernel warnings approximately every 10 minutes prior to the patch. Post-fix, the stress tests ran for several hours without triggering the warning, indicating the fix's effectiveness. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the specified commit hash af7cf057933f01dc7f33ddfb5e436ad598ed17ad, which corresponds to recent kernel releases incorporating the patch.
Potential Impact
For European organizations relying on Linux-based systems with NFS for file sharing and storage, this vulnerability poses a risk of kernel instability and potential denial of service (DoS) due to use-after-free conditions causing kernel warnings and possible crashes. While no direct remote code execution or privilege escalation is indicated, the UAF could be leveraged in complex attack chains to compromise system integrity or availability. Organizations with large-scale distributed storage environments, such as data centers, research institutions, and enterprises using NFS for high-performance computing or cloud infrastructure, are particularly at risk. The instability could lead to service interruptions, data access delays, and increased operational costs due to system reboots or troubleshooting. Given the asynchronous nature of the bug, it may be triggered under heavy I/O workloads, making high-traffic servers more vulnerable. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to maintain system reliability and security posture.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-26958 as soon as it becomes available in your distribution's kernel updates. Monitor vendor advisories for updated kernel packages. 2. For environments where immediate patching is not feasible, consider temporarily disabling or limiting NFS direct write operations if possible, to reduce exposure to the vulnerable code path. 3. Implement robust monitoring for kernel warnings related to refcount underflows or nfs_direct_write errors to detect potential exploitation or instability early. 4. Conduct stress testing in controlled environments to verify the stability of patched kernels before deployment in production. 5. Ensure that backup and recovery procedures are up to date to mitigate potential data availability issues caused by system crashes. 6. Engage with Linux distribution security teams to confirm patch availability and coordinate timely updates. 7. Review and harden NFS configurations, including access controls and network segmentation, to reduce the attack surface and limit exposure to untrusted clients.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.200Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebfd4
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 5:55:53 AM
Last updated: 8/1/2025, 7:23:00 AM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.