CVE-2024-40899: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 626: __kmalloc+0x1df/0x4b0 cachefiles_ondemand_send_req+0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd copy_to_user(_buffer, msg, n) process_open_req(REQ_A) ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, ("copen %u,%llu", msg->msg_id, size)); cachefiles_ondemand_copen xa_erase(&cache->reqs, id) complete(&REQ_A->done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A->msg.data; load->fd = fd; // load UAF !!! This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over. Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.
AI Analysis
Technical Summary
CVE-2024-40899 is a use-after-free (UAF) vulnerability identified in the Linux kernel's cachefiles subsystem, specifically within the cachefiles_ondemand_get_fd() function. The vulnerability arises when the cachefiles daemon processes a 'restore' command while still active, causing a request object (cachefiles_req) to be handled multiple times concurrently. This leads to a scenario where the kernel frees the memory associated with a request but subsequently attempts to access it again, triggering a slab-use-after-free condition detected by Kernel Address Sanitizer (KASAN). The root cause is the lack of proper reference counting on the cachefiles_req structure during overlapping operations such as waiting and reading. The flaw manifests during the interaction between multiple daemon threads handling requests, where a request is allocated, processed, and freed, but a subsequent operation attempts to access the already freed memory. The fix involves introducing an additional reference count to the cachefiles_req object to ensure it remains valid throughout its lifecycle, preventing multiple completions and premature freeing. This vulnerability was discovered through fuzz testing and affects specific Linux kernel commits prior to the patch. The issue is technical and low-level, involving kernel memory management and concurrency in the cachefiles subsystem, which is used for caching remote filesystems like NFS. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running affected Linux kernel versions with the cachefiles feature enabled, commonly used in environments leveraging networked or remote filesystems such as NFS. Exploitation could lead to kernel crashes (denial of service) or potentially enable privilege escalation or arbitrary code execution within the kernel context if an attacker can trigger the use-after-free condition reliably. This could compromise the confidentiality, integrity, and availability of critical systems, especially in sectors relying heavily on Linux servers for file sharing, cloud infrastructure, or edge computing. Given the kernel-level nature of the flaw, successful exploitation could undermine system stability and security, impacting data centers, enterprise servers, and cloud providers across Europe. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop techniques to leverage this vulnerability. Organizations in finance, telecommunications, government, and critical infrastructure sectors are particularly sensitive due to their reliance on robust Linux-based systems and the potential impact of service disruption or data breaches.
Mitigation Recommendations
European organizations should promptly assess their Linux kernel versions against the affected commits and apply the official patches or kernel updates that address CVE-2024-40899. Since the vulnerability involves kernel memory management, upgrading to the latest stable Linux kernel release containing the fix is the most effective mitigation. For environments where immediate patching is not feasible, disabling the cachefiles feature or the ondemand mode can reduce exposure, though this may impact performance or functionality related to caching remote filesystems. System administrators should also implement strict access controls to limit unprivileged users' ability to interact with the cachefiles daemon or issue restore commands, minimizing the attack surface. Continuous monitoring for unusual kernel crashes or daemon behavior can help detect exploitation attempts. Additionally, integrating kernel runtime security tools such as KASAN or kernel lockdown features can provide early detection and containment. Organizations should maintain an inventory of Linux systems and ensure coordinated patch management processes to rapidly deploy fixes across distributed environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40899: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() We got the following issue in a fuzz test of randomly issuing the restore command: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0 Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962 CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542 Call Trace: kasan_report+0x94/0xc0 cachefiles_ondemand_daemon_read+0x609/0xab0 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0 Allocated by task 626: __kmalloc+0x1df/0x4b0 cachefiles_ondemand_send_req+0x24d/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] Freed by task 626: kfree+0xf1/0x2c0 cachefiles_ondemand_send_req+0x568/0x690 cachefiles_create_tmpfile+0x249/0xb30 cachefiles_create_file+0x6f/0x140 cachefiles_look_up_object+0x29c/0xa60 cachefiles_lookup_cookie+0x37d/0xca0 fscache_cookie_state_machine+0x43c/0x1230 [...] ================================================================== Following is the process that triggers the issue: mount | daemon_thread1 | daemon_thread2 ------------------------------------------------------------ cachefiles_ondemand_init_object cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done) cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req cachefiles_ondemand_get_fd copy_to_user(_buffer, msg, n) process_open_req(REQ_A) ------ restore ------ cachefiles_ondemand_restore xas_for_each(&xas, req, ULONG_MAX) xas_set_mark(&xas, CACHEFILES_REQ_NEW); cachefiles_daemon_read cachefiles_ondemand_daemon_read REQ_A = cachefiles_ondemand_select_req write(devfd, ("copen %u,%llu", msg->msg_id, size)); cachefiles_ondemand_copen xa_erase(&cache->reqs, id) complete(&REQ_A->done) kfree(REQ_A) cachefiles_ondemand_get_fd(REQ_A) fd = get_unused_fd_flags file = anon_inode_getfile fd_install(fd, file) load = (void *)REQ_A->msg.data; load->fd = fd; // load UAF !!! This issue is caused by issuing a restore command when the daemon is still alive, which results in a request being processed multiple times thus triggering a UAF. So to avoid this problem, add an additional reference count to cachefiles_req, which is held while waiting and reading, and then released when the waiting and reading is over. Note that since there is only one reference count for waiting, we need to avoid the same request being completed multiple times, so we can only complete the request if it is successfully removed from the xarray.
AI-Powered Analysis
Technical Analysis
CVE-2024-40899 is a use-after-free (UAF) vulnerability identified in the Linux kernel's cachefiles subsystem, specifically within the cachefiles_ondemand_get_fd() function. The vulnerability arises when the cachefiles daemon processes a 'restore' command while still active, causing a request object (cachefiles_req) to be handled multiple times concurrently. This leads to a scenario where the kernel frees the memory associated with a request but subsequently attempts to access it again, triggering a slab-use-after-free condition detected by Kernel Address Sanitizer (KASAN). The root cause is the lack of proper reference counting on the cachefiles_req structure during overlapping operations such as waiting and reading. The flaw manifests during the interaction between multiple daemon threads handling requests, where a request is allocated, processed, and freed, but a subsequent operation attempts to access the already freed memory. The fix involves introducing an additional reference count to the cachefiles_req object to ensure it remains valid throughout its lifecycle, preventing multiple completions and premature freeing. This vulnerability was discovered through fuzz testing and affects specific Linux kernel commits prior to the patch. The issue is technical and low-level, involving kernel memory management and concurrency in the cachefiles subsystem, which is used for caching remote filesystems like NFS. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running affected Linux kernel versions with the cachefiles feature enabled, commonly used in environments leveraging networked or remote filesystems such as NFS. Exploitation could lead to kernel crashes (denial of service) or potentially enable privilege escalation or arbitrary code execution within the kernel context if an attacker can trigger the use-after-free condition reliably. This could compromise the confidentiality, integrity, and availability of critical systems, especially in sectors relying heavily on Linux servers for file sharing, cloud infrastructure, or edge computing. Given the kernel-level nature of the flaw, successful exploitation could undermine system stability and security, impacting data centers, enterprise servers, and cloud providers across Europe. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop techniques to leverage this vulnerability. Organizations in finance, telecommunications, government, and critical infrastructure sectors are particularly sensitive due to their reliance on robust Linux-based systems and the potential impact of service disruption or data breaches.
Mitigation Recommendations
European organizations should promptly assess their Linux kernel versions against the affected commits and apply the official patches or kernel updates that address CVE-2024-40899. Since the vulnerability involves kernel memory management, upgrading to the latest stable Linux kernel release containing the fix is the most effective mitigation. For environments where immediate patching is not feasible, disabling the cachefiles feature or the ondemand mode can reduce exposure, though this may impact performance or functionality related to caching remote filesystems. System administrators should also implement strict access controls to limit unprivileged users' ability to interact with the cachefiles daemon or issue restore commands, minimizing the attack surface. Continuous monitoring for unusual kernel crashes or daemon behavior can help detect exploitation attempts. Additionally, integrating kernel runtime security tools such as KASAN or kernel lockdown features can provide early detection and containment. Organizations should maintain an inventory of Linux systems and ensure coordinated patch management processes to rapidly deploy fixes across distributed environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.579Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2dd2
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:56:38 PM
Last updated: 7/28/2025, 6:09:49 AM
Views: 10
Related Threats
CVE-2025-8921: SQL Injection in code-projects Job Diary
MediumCVE-2025-8920: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-45316: n/a
UnknownCVE-2025-45314: n/a
UnknownCVE-2025-8919: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.