CVE-2024-38626: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: fuse: clear FR_SENT when re-adding requests into pending list The following warning was reported by lee bruce: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 ...... Call Trace: <TASK> fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ...... </TASK> The warning is due to the FUSE_NOTIFY_RESEND notify sent by the write() syscall in the reproducer program and it happens as follows: (1) calls fuse_dev_read() to read the INIT request The read succeeds. During the read, bit FR_SENT will be set on the request. (2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify The resend notify will resend all processing requests, so the INIT request is moved from processing list to pending list again. (3) calls fuse_dev_read() with an invalid output address fuse_dev_read() will try to copy the same INIT request to the output address, but it will fail due to the invalid address, so the INIT request is ended and triggers the warning in fuse_request_end(). Fix it by clearing FR_SENT when re-adding requests into pending list.
AI Analysis
Technical Summary
CVE-2024-38626 is a vulnerability identified in the Linux kernel's FUSE (Filesystem in Userspace) subsystem. The issue arises from improper handling of the FR_SENT flag when re-adding requests into the pending list during FUSE operations. Specifically, the vulnerability manifests when a FUSE_NOTIFY_RESEND notification is sent by the write() syscall, causing all processing requests to be resent. During this process, the INIT request is moved from the processing list back to the pending list without clearing the FR_SENT bit. Subsequent attempts to read this request with an invalid output address cause the request to be ended prematurely, triggering a kernel warning in fuse_request_end(). This improper state management can lead to kernel warnings and potentially unstable kernel behavior. The root cause is the failure to clear the FR_SENT flag when re-adding requests, which the patch addresses by ensuring this flag is cleared appropriately. The vulnerability was reported by Lee Bruce and affects Linux kernel versions including the 6.9.0-rc7 release candidate. Although no known exploits are currently reported in the wild, the issue could be triggered by malicious or malformed FUSE filesystem operations, potentially leading to denial of service or kernel instability.
Potential Impact
For European organizations relying on Linux systems with FUSE filesystems—commonly used for mounting user-space filesystems such as SSHFS, cloud storage mounts, or custom filesystem implementations—this vulnerability could lead to system instability or crashes. While it does not directly indicate privilege escalation or arbitrary code execution, the kernel warnings and potential crashes could disrupt critical services, especially in environments where FUSE is heavily utilized for storage or network filesystem access. This could impact availability of services, data access, and operational continuity. Organizations running containerized workloads or virtualized environments on Linux hosts using FUSE may also experience disruptions. Given the widespread use of Linux in European data centers, cloud providers, and enterprise infrastructure, the vulnerability poses a moderate risk to service reliability and uptime if exploited or triggered inadvertently.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize applying the official Linux kernel patches that clear the FR_SENT flag when re-adding requests to the pending list in the FUSE subsystem. Kernel upgrades to versions including this fix (post-6.9.0-rc7 stable releases) are recommended. In environments where immediate patching is not feasible, organizations should audit and restrict usage of FUSE filesystems to trusted users and applications only, minimizing exposure to untrusted or malformed FUSE requests. Monitoring kernel logs for fuse_request_end warnings can help detect attempts to trigger the issue. Additionally, implementing strict access controls and sandboxing for processes interacting with FUSE filesystems can reduce the risk of exploitation. For cloud and container environments, ensure host kernel versions are updated and consider disabling unnecessary FUSE mounts to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-38626: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: fuse: clear FR_SENT when re-adding requests into pending list The following warning was reported by lee bruce: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 ...... Call Trace: <TASK> fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ...... </TASK> The warning is due to the FUSE_NOTIFY_RESEND notify sent by the write() syscall in the reproducer program and it happens as follows: (1) calls fuse_dev_read() to read the INIT request The read succeeds. During the read, bit FR_SENT will be set on the request. (2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify The resend notify will resend all processing requests, so the INIT request is moved from processing list to pending list again. (3) calls fuse_dev_read() with an invalid output address fuse_dev_read() will try to copy the same INIT request to the output address, but it will fail due to the invalid address, so the INIT request is ended and triggers the warning in fuse_request_end(). Fix it by clearing FR_SENT when re-adding requests into pending list.
AI-Powered Analysis
Technical Analysis
CVE-2024-38626 is a vulnerability identified in the Linux kernel's FUSE (Filesystem in Userspace) subsystem. The issue arises from improper handling of the FR_SENT flag when re-adding requests into the pending list during FUSE operations. Specifically, the vulnerability manifests when a FUSE_NOTIFY_RESEND notification is sent by the write() syscall, causing all processing requests to be resent. During this process, the INIT request is moved from the processing list back to the pending list without clearing the FR_SENT bit. Subsequent attempts to read this request with an invalid output address cause the request to be ended prematurely, triggering a kernel warning in fuse_request_end(). This improper state management can lead to kernel warnings and potentially unstable kernel behavior. The root cause is the failure to clear the FR_SENT flag when re-adding requests, which the patch addresses by ensuring this flag is cleared appropriately. The vulnerability was reported by Lee Bruce and affects Linux kernel versions including the 6.9.0-rc7 release candidate. Although no known exploits are currently reported in the wild, the issue could be triggered by malicious or malformed FUSE filesystem operations, potentially leading to denial of service or kernel instability.
Potential Impact
For European organizations relying on Linux systems with FUSE filesystems—commonly used for mounting user-space filesystems such as SSHFS, cloud storage mounts, or custom filesystem implementations—this vulnerability could lead to system instability or crashes. While it does not directly indicate privilege escalation or arbitrary code execution, the kernel warnings and potential crashes could disrupt critical services, especially in environments where FUSE is heavily utilized for storage or network filesystem access. This could impact availability of services, data access, and operational continuity. Organizations running containerized workloads or virtualized environments on Linux hosts using FUSE may also experience disruptions. Given the widespread use of Linux in European data centers, cloud providers, and enterprise infrastructure, the vulnerability poses a moderate risk to service reliability and uptime if exploited or triggered inadvertently.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize applying the official Linux kernel patches that clear the FR_SENT flag when re-adding requests to the pending list in the FUSE subsystem. Kernel upgrades to versions including this fix (post-6.9.0-rc7 stable releases) are recommended. In environments where immediate patching is not feasible, organizations should audit and restrict usage of FUSE filesystems to trusted users and applications only, minimizing exposure to untrusted or malformed FUSE requests. Monitoring kernel logs for fuse_request_end warnings can help detect attempts to trigger the issue. Additionally, implementing strict access controls and sandboxing for processes interacting with FUSE filesystems can reduce the risk of exploitation. For cloud and container environments, ensure host kernel versions are updated and consider disabling unnecessary FUSE mounts to reduce attack surface.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-18T19:36:34.945Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2b96
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:09:50 PM
Last updated: 7/30/2025, 10:53:59 PM
Views: 12
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.