CVE-2024-40955: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() We can trigger a slab-out-of-bounds with the following commands: mkfs.ext4 -F /dev/$disk 10G mount /dev/$disk /tmp/test echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc echo test > /tmp/test/file && sync ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11 CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521 Call Trace: dump_stack_lvl+0x2c/0x50 kasan_report+0xb6/0xf0 ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] ext4_mb_regular_allocator+0x19e9/0x2370 [ext4] ext4_mb_new_blocks+0x88a/0x1370 [ext4] ext4_ext_map_blocks+0x14f7/0x2390 [ext4] ext4_map_blocks+0x569/0xea0 [ext4] ext4_do_writepages+0x10f6/0x1bc0 [ext4] [...] ================================================================== The flow of issue triggering is as follows: // Set s_mb_group_prealloc to 2147483647 via sysfs ext4_mb_new_blocks ext4_mb_normalize_request ext4_mb_normalize_group_request ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc ext4_mb_regular_allocator ext4_mb_choose_next_group ext4_mb_choose_next_group_best_avail mb_avg_fragment_size_order order = fls(len) - 2 = 29 ext4_mb_find_good_group_avg_frag_lists frag_list = &sbi->s_mb_avg_fragment_size[order] if (list_empty(frag_list)) // Trigger SOOB! At 4k block size, the length of the s_mb_avg_fragment_size list is 14, but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds to be triggered by an attempt to access an element at index 29. Add a new attr_id attr_clusters_in_group with values in the range [0, sbi->s_clusters_per_group] and declare mb_group_prealloc as that type to fix the issue. In addition avoid returning an order from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb) and reduce some useless loops.
AI Analysis
Technical Summary
CVE-2024-40955 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation, specifically within the ext4_mb_find_good_group_avg_frag_lists() function. The flaw is a slab-out-of-bounds (SOOB) memory access triggered by manipulating the ext4_mb_group_prealloc parameter via sysfs. The vulnerability arises because the ext4_mb_group_prealloc value can be set to an excessively large number (e.g., 2147483647), which leads to an out-of-bounds read when the kernel attempts to access an index in the s_mb_avg_fragment_size array beyond its allocated length. This occurs due to insufficient validation of the mb_group_prealloc parameter and improper bounds checking in the ext4 block allocator logic. The vulnerability can be triggered by formatting a disk with ext4, mounting it, setting the mb_group_prealloc sysfs attribute to a large value, and performing a write operation. The kernel then attempts to find a suitable block group for allocation but accesses memory outside the slab allocator's bounds, causing a kernel address sanitizer (KASAN) detected error and potentially leading to a kernel crash or memory corruption. The root cause is that the order calculated for fragment size exceeds the maximum allowed, and the code accesses a list element at this invalid index. The fix involves introducing a new attribute to constrain mb_group_prealloc within valid cluster group sizes and adding checks to prevent out-of-range access. This vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using ext4 with the affected kernel versions. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running Linux kernels with the vulnerable ext4 implementation. Since ext4 is one of the most widely used filesystems in Linux environments, including enterprise servers, cloud infrastructure, and embedded devices, exploitation could lead to denial of service via kernel crashes or potentially enable privilege escalation or arbitrary code execution through memory corruption. The impact includes system instability, data loss, and disruption of critical services. Organizations relying on Linux-based infrastructure for web hosting, cloud services, or internal applications could face operational outages. Additionally, if attackers develop exploits, this could be leveraged in targeted attacks against critical infrastructure or data centers. The vulnerability's exploitation requires local access or the ability to execute commands on the affected system, which limits remote exploitation but does not eliminate risk, especially in multi-tenant or shared environments. European entities with high dependence on Linux servers, such as financial institutions, telecommunications providers, and government agencies, could experience significant operational and reputational damage if affected.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2024-40955 as soon as they are available from your Linux distribution vendor. 2. Restrict access to sysfs interfaces: Limit write permissions to /sys/fs/ext4/* attributes, especially mb_group_prealloc, to trusted administrators only to prevent unauthorized manipulation. 3. Monitor kernel logs: Implement monitoring for KASAN or slab-out-of-bounds errors in kernel logs to detect potential exploitation attempts or system instability. 4. Harden system access: Enforce strict access controls and use security modules like SELinux or AppArmor to restrict processes that can interact with ext4 filesystem parameters. 5. Use alternative filesystems: Where feasible, consider using filesystems other than ext4 for critical workloads until patches are applied. 6. Conduct vulnerability scanning and penetration testing: Regularly scan Linux systems for this vulnerability and test the effectiveness of mitigations. 7. Backup critical data: Maintain up-to-date backups to mitigate data loss risks from potential crashes or corruption. 8. Educate system administrators: Ensure that Linux administrators are aware of this vulnerability and the importance of applying patches and restricting sysfs access.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40955: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists() We can trigger a slab-out-of-bounds with the following commands: mkfs.ext4 -F /dev/$disk 10G mount /dev/$disk /tmp/test echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc echo test > /tmp/test/file && sync ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11 CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521 Call Trace: dump_stack_lvl+0x2c/0x50 kasan_report+0xb6/0xf0 ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] ext4_mb_regular_allocator+0x19e9/0x2370 [ext4] ext4_mb_new_blocks+0x88a/0x1370 [ext4] ext4_ext_map_blocks+0x14f7/0x2390 [ext4] ext4_map_blocks+0x569/0xea0 [ext4] ext4_do_writepages+0x10f6/0x1bc0 [ext4] [...] ================================================================== The flow of issue triggering is as follows: // Set s_mb_group_prealloc to 2147483647 via sysfs ext4_mb_new_blocks ext4_mb_normalize_request ext4_mb_normalize_group_request ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc ext4_mb_regular_allocator ext4_mb_choose_next_group ext4_mb_choose_next_group_best_avail mb_avg_fragment_size_order order = fls(len) - 2 = 29 ext4_mb_find_good_group_avg_frag_lists frag_list = &sbi->s_mb_avg_fragment_size[order] if (list_empty(frag_list)) // Trigger SOOB! At 4k block size, the length of the s_mb_avg_fragment_size list is 14, but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds to be triggered by an attempt to access an element at index 29. Add a new attr_id attr_clusters_in_group with values in the range [0, sbi->s_clusters_per_group] and declare mb_group_prealloc as that type to fix the issue. In addition avoid returning an order from mb_avg_fragment_size_order() greater than MB_NUM_ORDERS(sb) and reduce some useless loops.
AI-Powered Analysis
Technical Analysis
CVE-2024-40955 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation, specifically within the ext4_mb_find_good_group_avg_frag_lists() function. The flaw is a slab-out-of-bounds (SOOB) memory access triggered by manipulating the ext4_mb_group_prealloc parameter via sysfs. The vulnerability arises because the ext4_mb_group_prealloc value can be set to an excessively large number (e.g., 2147483647), which leads to an out-of-bounds read when the kernel attempts to access an index in the s_mb_avg_fragment_size array beyond its allocated length. This occurs due to insufficient validation of the mb_group_prealloc parameter and improper bounds checking in the ext4 block allocator logic. The vulnerability can be triggered by formatting a disk with ext4, mounting it, setting the mb_group_prealloc sysfs attribute to a large value, and performing a write operation. The kernel then attempts to find a suitable block group for allocation but accesses memory outside the slab allocator's bounds, causing a kernel address sanitizer (KASAN) detected error and potentially leading to a kernel crash or memory corruption. The root cause is that the order calculated for fragment size exceeds the maximum allowed, and the code accesses a list element at this invalid index. The fix involves introducing a new attribute to constrain mb_group_prealloc within valid cluster group sizes and adding checks to prevent out-of-range access. This vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using ext4 with the affected kernel versions. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running Linux kernels with the vulnerable ext4 implementation. Since ext4 is one of the most widely used filesystems in Linux environments, including enterprise servers, cloud infrastructure, and embedded devices, exploitation could lead to denial of service via kernel crashes or potentially enable privilege escalation or arbitrary code execution through memory corruption. The impact includes system instability, data loss, and disruption of critical services. Organizations relying on Linux-based infrastructure for web hosting, cloud services, or internal applications could face operational outages. Additionally, if attackers develop exploits, this could be leveraged in targeted attacks against critical infrastructure or data centers. The vulnerability's exploitation requires local access or the ability to execute commands on the affected system, which limits remote exploitation but does not eliminate risk, especially in multi-tenant or shared environments. European entities with high dependence on Linux servers, such as financial institutions, telecommunications providers, and government agencies, could experience significant operational and reputational damage if affected.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2024-40955 as soon as they are available from your Linux distribution vendor. 2. Restrict access to sysfs interfaces: Limit write permissions to /sys/fs/ext4/* attributes, especially mb_group_prealloc, to trusted administrators only to prevent unauthorized manipulation. 3. Monitor kernel logs: Implement monitoring for KASAN or slab-out-of-bounds errors in kernel logs to detect potential exploitation attempts or system instability. 4. Harden system access: Enforce strict access controls and use security modules like SELinux or AppArmor to restrict processes that can interact with ext4 filesystem parameters. 5. Use alternative filesystems: Where feasible, consider using filesystems other than ext4 for critical workloads until patches are applied. 6. Conduct vulnerability scanning and penetration testing: Regularly scan Linux systems for this vulnerability and test the effectiveness of mitigations. 7. Backup critical data: Maintain up-to-date backups to mitigate data loss risks from potential crashes or corruption. 8. Educate system administrators: Ensure that Linux administrators are aware of this vulnerability and the importance of applying patches and restricting sysfs access.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.592Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe14ac
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:41:20 AM
Last updated: 8/16/2025, 4:35:08 PM
Views: 11
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.