CVE-2024-39371: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. The trace leading to that looks as follows: BUG: kernel NULL pointer dereference, address: 00000000000000b0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 because the request is marked forced ASYNC and has a bad file fd, and hence takes the forced async prep path. Current kernels with the request async prep cleaned up can no longer hit this issue, but for ease of backporting, let's add this safety check in here too as it really doesn't hurt. For both cases, this will inevitably end with a CQE posted with -EBADF.
AI Analysis
Technical Summary
CVE-2024-39371 is a vulnerability identified in the Linux kernel's io_uring subsystem, specifically related to the function io_file_can_poll(). The vulnerability arises from a missing check for a non-NULL file pointer during the forced asynchronous (async) preparation path. In earlier kernel versions, if an io_uring request was marked as forced async but had no valid file descriptor assigned (i.e., a NULL file pointer), it could trigger a NULL pointer dereference. This results in a kernel oops (crash) due to an invalid memory access at address 0x00000000000000b0. The vulnerability is triggered when the kernel attempts to select an I/O buffer via io_buffer_select() without verifying the validity of the file pointer, leading to a page fault and kernel panic. The trace provided shows the call stack leading to the crash, indicating that the issue occurs during the asynchronous I/O submission process (io_submit_sqes and related functions). The root cause is that the forced async preparation path does not adequately validate the file descriptor before proceeding, allowing a NULL pointer dereference. The fix involves adding a safety check in io_file_can_poll() to ensure the file pointer is not NULL before proceeding. This prevents the kernel from dereferencing a NULL pointer and instead results in a controlled error response (CQE posted with -EBADF), indicating a bad file descriptor. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using io_uring for asynchronous I/O operations. Although the issue does not appear to be exploited in the wild yet, it poses a risk of denial-of-service (DoS) through kernel crashes if malicious or malformed requests are submitted to vulnerable kernels. The vulnerability is technical and requires crafted input to trigger, but it can be exploited locally or remotely if an attacker can submit io_uring requests with invalid file descriptors.
Potential Impact
For European organizations, the primary impact of CVE-2024-39371 is the potential for denial-of-service attacks against Linux-based systems that utilize the io_uring interface for asynchronous I/O. This includes servers, cloud infrastructure, and embedded devices running vulnerable kernel versions. A successful exploitation leads to kernel crashes, causing service interruptions and potential downtime. This can affect critical infrastructure, web servers, database servers, and any application relying on Linux kernel stability. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting system instability can disrupt business operations and availability. Organizations in sectors such as finance, healthcare, telecommunications, and government, which heavily depend on Linux servers, may face operational risks. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to degrade system reliability or as a distraction while other attacks are conducted. Given the widespread use of Linux in European data centers and cloud environments, the impact is significant if unpatched systems remain exposed. However, exploitation requires the ability to submit crafted io_uring requests, which may limit remote exploitation vectors unless exposed services allow such interactions.
Mitigation Recommendations
European organizations should implement the following specific mitigation steps: 1) Identify and inventory all Linux systems using kernel versions prior to the patch that include the vulnerable io_uring implementation. 2) Apply the official Linux kernel patches or upgrade to a kernel version that includes the fix for CVE-2024-39371 as soon as possible to prevent exploitation. 3) Restrict access to systems and services that allow submission of io_uring requests, especially from untrusted or external networks, to reduce the attack surface. 4) Monitor system logs and kernel oops reports for signs of NULL pointer dereferences or unexpected crashes related to io_uring operations, which may indicate attempted exploitation. 5) Employ kernel hardening techniques such as kernel lockdown and seccomp filters to limit the ability of unprivileged users or processes to invoke io_uring syscalls. 6) For cloud and container environments, ensure that container runtimes and orchestration platforms are configured to prevent untrusted containers from accessing io_uring interfaces or submitting malformed requests. 7) Conduct regular vulnerability scanning and penetration testing focused on asynchronous I/O interfaces to detect potential exploitation attempts. These steps go beyond generic advice by focusing on access control to io_uring interfaces, proactive monitoring for kernel faults, and environment-specific hardening.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-39371: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. The trace leading to that looks as follows: BUG: kernel NULL pointer dereference, address: 00000000000000b0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 because the request is marked forced ASYNC and has a bad file fd, and hence takes the forced async prep path. Current kernels with the request async prep cleaned up can no longer hit this issue, but for ease of backporting, let's add this safety check in here too as it really doesn't hurt. For both cases, this will inevitably end with a CQE posted with -EBADF.
AI-Powered Analysis
Technical Analysis
CVE-2024-39371 is a vulnerability identified in the Linux kernel's io_uring subsystem, specifically related to the function io_file_can_poll(). The vulnerability arises from a missing check for a non-NULL file pointer during the forced asynchronous (async) preparation path. In earlier kernel versions, if an io_uring request was marked as forced async but had no valid file descriptor assigned (i.e., a NULL file pointer), it could trigger a NULL pointer dereference. This results in a kernel oops (crash) due to an invalid memory access at address 0x00000000000000b0. The vulnerability is triggered when the kernel attempts to select an I/O buffer via io_buffer_select() without verifying the validity of the file pointer, leading to a page fault and kernel panic. The trace provided shows the call stack leading to the crash, indicating that the issue occurs during the asynchronous I/O submission process (io_submit_sqes and related functions). The root cause is that the forced async preparation path does not adequately validate the file descriptor before proceeding, allowing a NULL pointer dereference. The fix involves adding a safety check in io_file_can_poll() to ensure the file pointer is not NULL before proceeding. This prevents the kernel from dereferencing a NULL pointer and instead results in a controlled error response (CQE posted with -EBADF), indicating a bad file descriptor. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using io_uring for asynchronous I/O operations. Although the issue does not appear to be exploited in the wild yet, it poses a risk of denial-of-service (DoS) through kernel crashes if malicious or malformed requests are submitted to vulnerable kernels. The vulnerability is technical and requires crafted input to trigger, but it can be exploited locally or remotely if an attacker can submit io_uring requests with invalid file descriptors.
Potential Impact
For European organizations, the primary impact of CVE-2024-39371 is the potential for denial-of-service attacks against Linux-based systems that utilize the io_uring interface for asynchronous I/O. This includes servers, cloud infrastructure, and embedded devices running vulnerable kernel versions. A successful exploitation leads to kernel crashes, causing service interruptions and potential downtime. This can affect critical infrastructure, web servers, database servers, and any application relying on Linux kernel stability. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting system instability can disrupt business operations and availability. Organizations in sectors such as finance, healthcare, telecommunications, and government, which heavily depend on Linux servers, may face operational risks. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to degrade system reliability or as a distraction while other attacks are conducted. Given the widespread use of Linux in European data centers and cloud environments, the impact is significant if unpatched systems remain exposed. However, exploitation requires the ability to submit crafted io_uring requests, which may limit remote exploitation vectors unless exposed services allow such interactions.
Mitigation Recommendations
European organizations should implement the following specific mitigation steps: 1) Identify and inventory all Linux systems using kernel versions prior to the patch that include the vulnerable io_uring implementation. 2) Apply the official Linux kernel patches or upgrade to a kernel version that includes the fix for CVE-2024-39371 as soon as possible to prevent exploitation. 3) Restrict access to systems and services that allow submission of io_uring requests, especially from untrusted or external networks, to reduce the attack surface. 4) Monitor system logs and kernel oops reports for signs of NULL pointer dereferences or unexpected crashes related to io_uring operations, which may indicate attempted exploitation. 5) Employ kernel hardening techniques such as kernel lockdown and seccomp filters to limit the ability of unprivileged users or processes to invoke io_uring syscalls. 6) For cloud and container environments, ensure that container runtimes and orchestration platforms are configured to prevent untrusted containers from accessing io_uring interfaces or submitting malformed requests. 7) Conduct regular vulnerability scanning and penetration testing focused on asynchronous I/O interfaces to detect potential exploitation attempts. These steps go beyond generic advice by focusing on access control to io_uring interfaces, proactive monitoring for kernel faults, and environment-specific hardening.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-24T13:54:11.039Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2c62
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:26:50 PM
Last updated: 8/16/2025, 1:33:19 AM
Views: 9
Related Threats
CVE-2025-52287: n/a
UnknownCVE-2025-55581: n/a
HighCVE-2025-52085: n/a
HighCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.