CVE-2024-39510: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60 Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963 CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564 Call Trace: kasan_report+0x93/0xc0 cachefiles_ondemand_daemon_read+0xb41/0xb60 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 116: kmem_cache_alloc+0x140/0x3a0 cachefiles_lookup_cookie+0x140/0xcd0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 792: kmem_cache_free+0xfe/0x390 cachefiles_put_object+0x241/0x480 fscache_cookie_state_machine+0x5c8/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_withdraw_cookie cachefiles_ondemand_clean_object(object) cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req msg->object_id = req->object->ondemand->ondemand_id ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req copy_to_user(_buffer, msg, n) xa_erase(&cache->reqs, id) complete(&REQ_A->done) ------ close(fd) ------ cachefiles_ondemand_fd_release cachefiles_put_object cachefiles_put_object kmem_cache_free(cachefiles_object_jar, object) REQ_A->object->ondemand->ondemand_id // object UAF !!! When we see the request within xa_lock, req->object must not have been freed yet, so grab the reference count of object before xa_unlock to avoid the above issue.
AI Analysis
Technical Summary
CVE-2024-39510 is a use-after-free vulnerability identified in the Linux kernel's cachefiles subsystem, specifically within the function cachefiles_ondemand_daemon_read(). The vulnerability arises due to improper handling of object references in concurrent operations involving cachefiles on-demand daemon threads. During fuzz testing, a slab-use-after-free condition was detected where a freed cachefiles object was accessed, leading to a potential memory corruption scenario. The root cause is that the reference count of the cachefiles object is not properly incremented before releasing the xa_lock, allowing the object to be freed while still in use by another thread. This results in a use-after-free bug, which can cause kernel crashes or potentially enable arbitrary code execution in kernel space if exploited. The vulnerability affects Linux kernel versions prior to the patch that ensures the reference count is grabbed before unlocking the xa_lock, preventing premature freeing of the object. The issue was discovered through fuzz testing and involves complex interactions between multiple kernel threads handling cachefiles on-demand requests, restore commands, and object lifecycle management. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to those running Linux-based systems with the cachefiles feature enabled. Cachefiles is commonly used to improve performance in networked file systems and caching scenarios, including enterprise environments leveraging Linux servers for file sharing, caching proxies, or distributed storage solutions. Exploitation could lead to kernel crashes causing denial of service, or in a worst-case scenario, privilege escalation or arbitrary code execution at the kernel level, compromising the confidentiality, integrity, and availability of critical systems. This risk is heightened in environments with multi-threaded workloads and heavy use of cachefiles on-demand features. Given the widespread deployment of Linux servers across European enterprises, cloud providers, and public sector infrastructure, the vulnerability could disrupt services or be leveraged in targeted attacks against critical infrastructure or data centers. However, the lack of known exploits and the complexity of triggering the bug may limit immediate widespread impact.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-39510 as soon as they become available. Until patched, organizations should consider disabling the cachefiles feature if it is not essential to their operations to reduce attack surface. For environments where cachefiles is required, implementing strict kernel hardening measures such as Kernel Address Sanitizer (KASAN) during testing, enabling kernel lockdown features, and restricting access to kernel modules and daemon processes can help mitigate exploitation risk. Monitoring kernel logs for KASAN reports or unusual cachefiles daemon behavior can provide early detection of exploitation attempts. Additionally, organizations should ensure that all Linux systems are running supported and up-to-date kernel versions, and maintain robust incident response plans to quickly address potential kernel-level compromises. Network segmentation and limiting access to systems running vulnerable kernels can further reduce exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-39510: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60 Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963 CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564 Call Trace: kasan_report+0x93/0xc0 cachefiles_ondemand_daemon_read+0xb41/0xb60 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 116: kmem_cache_alloc+0x140/0x3a0 cachefiles_lookup_cookie+0x140/0xcd0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 792: kmem_cache_free+0xfe/0x390 cachefiles_put_object+0x241/0x480 fscache_cookie_state_machine+0x5c8/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_withdraw_cookie cachefiles_ondemand_clean_object(object) cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req msg->object_id = req->object->ondemand->ondemand_id ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req copy_to_user(_buffer, msg, n) xa_erase(&cache->reqs, id) complete(&REQ_A->done) ------ close(fd) ------ cachefiles_ondemand_fd_release cachefiles_put_object cachefiles_put_object kmem_cache_free(cachefiles_object_jar, object) REQ_A->object->ondemand->ondemand_id // object UAF !!! When we see the request within xa_lock, req->object must not have been freed yet, so grab the reference count of object before xa_unlock to avoid the above issue.
AI-Powered Analysis
Technical Analysis
CVE-2024-39510 is a use-after-free vulnerability identified in the Linux kernel's cachefiles subsystem, specifically within the function cachefiles_ondemand_daemon_read(). The vulnerability arises due to improper handling of object references in concurrent operations involving cachefiles on-demand daemon threads. During fuzz testing, a slab-use-after-free condition was detected where a freed cachefiles object was accessed, leading to a potential memory corruption scenario. The root cause is that the reference count of the cachefiles object is not properly incremented before releasing the xa_lock, allowing the object to be freed while still in use by another thread. This results in a use-after-free bug, which can cause kernel crashes or potentially enable arbitrary code execution in kernel space if exploited. The vulnerability affects Linux kernel versions prior to the patch that ensures the reference count is grabbed before unlocking the xa_lock, preventing premature freeing of the object. The issue was discovered through fuzz testing and involves complex interactions between multiple kernel threads handling cachefiles on-demand requests, restore commands, and object lifecycle management. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk particularly to those running Linux-based systems with the cachefiles feature enabled. Cachefiles is commonly used to improve performance in networked file systems and caching scenarios, including enterprise environments leveraging Linux servers for file sharing, caching proxies, or distributed storage solutions. Exploitation could lead to kernel crashes causing denial of service, or in a worst-case scenario, privilege escalation or arbitrary code execution at the kernel level, compromising the confidentiality, integrity, and availability of critical systems. This risk is heightened in environments with multi-threaded workloads and heavy use of cachefiles on-demand features. Given the widespread deployment of Linux servers across European enterprises, cloud providers, and public sector infrastructure, the vulnerability could disrupt services or be leveraged in targeted attacks against critical infrastructure or data centers. However, the lack of known exploits and the complexity of triggering the bug may limit immediate widespread impact.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-39510 as soon as they become available. Until patched, organizations should consider disabling the cachefiles feature if it is not essential to their operations to reduce attack surface. For environments where cachefiles is required, implementing strict kernel hardening measures such as Kernel Address Sanitizer (KASAN) during testing, enabling kernel lockdown features, and restricting access to kernel modules and daemon processes can help mitigate exploitation risk. Monitoring kernel logs for KASAN reports or unusual cachefiles daemon behavior can provide early detection of exploitation attempts. Additionally, organizations should ensure that all Linux systems are running supported and up-to-date kernel versions, and maintain robust incident response plans to quickly address potential kernel-level compromises. Network segmentation and limiting access to systems running vulnerable kernels can further reduce exposure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-25T14:23:23.753Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2dce
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:56:29 PM
Last updated: 8/18/2025, 4:32:01 AM
Views: 20
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.