CVE-2024-35870: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2024-35870 is a use-after-free (UAF) vulnerability identified in the Linux kernel's CIFS/SMB client implementation, specifically within the smb2_reconnect_server() function. The vulnerability arises when smb2_reconnect_server() accesses a session object that is concurrently being torn down by another thread executing __cifs_put_smb_ses(). This race condition can occur under two main scenarios: (a) when the client maintains a connection to the SMB server but lacks an active session, or (b) when another thread resets the session status (@ses->ses_status) to a value other than SES_EXITING during teardown. The root cause is improper synchronization and status management, allowing smb2_reconnect_server() to access freed memory, leading to a use-after-free condition. This can cause kernel crashes (general protection faults) and potentially arbitrary code execution in kernel space if exploited. The vulnerability is triggered during SMB session reconnect attempts, particularly when Kerberos authentication (sec=krb5) is used with CIFS mounts, as demonstrated by the provided reproduction steps involving mounting, disconnecting, and reconnecting SMB shares with specific options. The fix involves unconditionally setting the session status to SES_EXITING during teardown and preventing other threads from modifying this status concurrently, thereby eliminating the race condition. The CVSS v3.1 base score is 4.4 (medium severity) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating local attack vector, low complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running Linux kernels with CIFS/SMB client functionality enabled and using Kerberos authentication for SMB shares. Many enterprises in Europe rely on Linux servers and workstations for file sharing and network storage access, often integrating with Windows-based SMB servers in mixed environments. Exploitation could lead to kernel crashes causing denial of service on critical file-sharing infrastructure or potentially enable privilege escalation or code execution in kernel space if combined with other vulnerabilities, threatening confidentiality of sensitive data accessed via SMB. Given the requirement for local privileges and high privileges to exploit, the immediate risk from remote attackers is limited, but insider threats or compromised accounts with elevated privileges could leverage this flaw. Disruption of SMB connectivity could impact business operations, especially in sectors with heavy reliance on networked file systems such as finance, manufacturing, and public administration. The medium CVSS score reflects these factors, but organizations should prioritize patching to avoid potential escalation or stability issues.
Mitigation Recommendations
1. Apply the official Linux kernel patches as soon as they become available from trusted sources or distributions to address CVE-2024-35870. 2. Temporarily avoid using Kerberos-secured CIFS mounts or SMB session reconnect features if feasible, especially in environments where high privilege users have access. 3. Implement strict access controls and monitoring on systems with SMB client functionality to detect unusual kernel crashes or suspicious activity indicative of exploitation attempts. 4. Use kernel lockdown features and security modules (e.g., SELinux, AppArmor) to restrict kernel memory access and limit potential impact of kernel-level vulnerabilities. 5. Regularly audit and minimize the number of users with high privileges on Linux systems to reduce the attack surface. 6. Employ comprehensive endpoint detection and response (EDR) solutions capable of detecting anomalous kernel behavior or memory corruption events. 7. Coordinate with IT and security teams to ensure timely deployment of kernel updates across all Linux systems, prioritizing those involved in SMB file sharing.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-35870: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-35870 is a use-after-free (UAF) vulnerability identified in the Linux kernel's CIFS/SMB client implementation, specifically within the smb2_reconnect_server() function. The vulnerability arises when smb2_reconnect_server() accesses a session object that is concurrently being torn down by another thread executing __cifs_put_smb_ses(). This race condition can occur under two main scenarios: (a) when the client maintains a connection to the SMB server but lacks an active session, or (b) when another thread resets the session status (@ses->ses_status) to a value other than SES_EXITING during teardown. The root cause is improper synchronization and status management, allowing smb2_reconnect_server() to access freed memory, leading to a use-after-free condition. This can cause kernel crashes (general protection faults) and potentially arbitrary code execution in kernel space if exploited. The vulnerability is triggered during SMB session reconnect attempts, particularly when Kerberos authentication (sec=krb5) is used with CIFS mounts, as demonstrated by the provided reproduction steps involving mounting, disconnecting, and reconnecting SMB shares with specific options. The fix involves unconditionally setting the session status to SES_EXITING during teardown and preventing other threads from modifying this status concurrently, thereby eliminating the race condition. The CVSS v3.1 base score is 4.4 (medium severity) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating local attack vector, low complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running Linux kernels with CIFS/SMB client functionality enabled and using Kerberos authentication for SMB shares. Many enterprises in Europe rely on Linux servers and workstations for file sharing and network storage access, often integrating with Windows-based SMB servers in mixed environments. Exploitation could lead to kernel crashes causing denial of service on critical file-sharing infrastructure or potentially enable privilege escalation or code execution in kernel space if combined with other vulnerabilities, threatening confidentiality of sensitive data accessed via SMB. Given the requirement for local privileges and high privileges to exploit, the immediate risk from remote attackers is limited, but insider threats or compromised accounts with elevated privileges could leverage this flaw. Disruption of SMB connectivity could impact business operations, especially in sectors with heavy reliance on networked file systems such as finance, manufacturing, and public administration. The medium CVSS score reflects these factors, but organizations should prioritize patching to avoid potential escalation or stability issues.
Mitigation Recommendations
1. Apply the official Linux kernel patches as soon as they become available from trusted sources or distributions to address CVE-2024-35870. 2. Temporarily avoid using Kerberos-secured CIFS mounts or SMB session reconnect features if feasible, especially in environments where high privilege users have access. 3. Implement strict access controls and monitoring on systems with SMB client functionality to detect unusual kernel crashes or suspicious activity indicative of exploitation attempts. 4. Use kernel lockdown features and security modules (e.g., SELinux, AppArmor) to restrict kernel memory access and limit potential impact of kernel-level vulnerabilities. 5. Regularly audit and minimize the number of users with high privileges on Linux systems to reduce the attack surface. 6. Employ comprehensive endpoint detection and response (EDR) solutions capable of detecting anomalous kernel behavior or memory corruption events. 7. Coordinate with IT and security teams to ensure timely deployment of kernel updates across all Linux systems, prioritizing those involved in SMB file sharing.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.108Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3702
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:55:52 PM
Last updated: 8/8/2025, 11:58:06 AM
Views: 12
Related Threats
CVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighCVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.