CVE-2024-41051: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemand_object_worker to finish when dropping object When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below. process A processs B process C process D cachefiles_ondemand_send_req() // send a read req X // wait for its completion // close ondemand fd cachefiles_ondemand_fd_release() // set object as CLOSE cachefiles_ondemand_daemon_read() // set object as REOPENING queue_work(fscache_wq, &info->ondemand_work) // close /dev/cachefiles cachefiles_daemon_release cachefiles_flush_reqs complete(&req->done) // read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker() When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish.
AI Analysis
Technical Summary
CVE-2024-41051 is a use-after-free vulnerability in the Linux kernel's cachefiles subsystem. The issue arises during the handling of ondemand_object_worker(), which is queued to re-open a cachefiles_object. The vulnerability occurs because the cachefiles_object is not pinned when ondemand_object_worker() is queued. If the underlying erofs filesystem is unmounted and the pending read request completes, the cachefiles_object may be freed. Subsequently, if ondemand_object_worker() executes after the object has been freed, it accesses memory that has been deallocated, leading to a use-after-free condition. This can cause undefined behavior including potential kernel crashes or memory corruption. The root cause is a race condition between the completion of read requests and the lifecycle management of cachefiles_object during filesystem unmount. The fix involves ensuring that when dropping an object, the ondemand_object_worker() is either canceled or waited upon using cancel_work_sync(), preventing it from running after the object is freed. This vulnerability affects specific Linux kernel versions identified by their commit hashes and is related to the cachefiles and erofs filesystems interaction. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with cachefiles and erofs filesystems in use. Exploitation could lead to kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code in kernel context if the use-after-free is leveraged effectively. This could compromise system integrity and availability, impacting critical infrastructure, servers, and embedded devices relying on Linux. Given the widespread use of Linux in European enterprises, cloud providers, and government agencies, the vulnerability could disrupt services or be a foothold for privilege escalation attacks. The impact is more pronounced in environments where erofs is mounted and cachefiles is active, such as caching proxy servers or systems using cachefiles for performance optimization. Although no exploits are known yet, the vulnerability's nature makes it a candidate for future exploitation, especially in targeted attacks against high-value European targets.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the kernel includes the fix that uses cancel_work_sync() to safely cancel ondemand_object_worker() when dropping cachefiles objects. System administrators should audit their use of cachefiles and erofs filesystems and consider disabling cachefiles if not required. For critical systems, implement kernel live patching if available to minimize downtime. Additionally, monitor system logs for unusual kernel warnings or crashes related to cachefiles or ondemand_object_worker. Employ strict access controls to limit who can mount/unmount filesystems and interact with cachefiles. Finally, maintain robust backup and recovery procedures to mitigate potential denial of service impacts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-41051: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cachefiles: wait for ondemand_object_worker to finish when dropping object When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below. process A processs B process C process D cachefiles_ondemand_send_req() // send a read req X // wait for its completion // close ondemand fd cachefiles_ondemand_fd_release() // set object as CLOSE cachefiles_ondemand_daemon_read() // set object as REOPENING queue_work(fscache_wq, &info->ondemand_work) // close /dev/cachefiles cachefiles_daemon_release cachefiles_flush_reqs complete(&req->done) // read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker() When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish.
AI-Powered Analysis
Technical Analysis
CVE-2024-41051 is a use-after-free vulnerability in the Linux kernel's cachefiles subsystem. The issue arises during the handling of ondemand_object_worker(), which is queued to re-open a cachefiles_object. The vulnerability occurs because the cachefiles_object is not pinned when ondemand_object_worker() is queued. If the underlying erofs filesystem is unmounted and the pending read request completes, the cachefiles_object may be freed. Subsequently, if ondemand_object_worker() executes after the object has been freed, it accesses memory that has been deallocated, leading to a use-after-free condition. This can cause undefined behavior including potential kernel crashes or memory corruption. The root cause is a race condition between the completion of read requests and the lifecycle management of cachefiles_object during filesystem unmount. The fix involves ensuring that when dropping an object, the ondemand_object_worker() is either canceled or waited upon using cancel_work_sync(), preventing it from running after the object is freed. This vulnerability affects specific Linux kernel versions identified by their commit hashes and is related to the cachefiles and erofs filesystems interaction. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with cachefiles and erofs filesystems in use. Exploitation could lead to kernel crashes (denial of service) or potentially allow an attacker to execute arbitrary code in kernel context if the use-after-free is leveraged effectively. This could compromise system integrity and availability, impacting critical infrastructure, servers, and embedded devices relying on Linux. Given the widespread use of Linux in European enterprises, cloud providers, and government agencies, the vulnerability could disrupt services or be a foothold for privilege escalation attacks. The impact is more pronounced in environments where erofs is mounted and cachefiles is active, such as caching proxy servers or systems using cachefiles for performance optimization. Although no exploits are known yet, the vulnerability's nature makes it a candidate for future exploitation, especially in targeted attacks against high-value European targets.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions where this vulnerability is patched. Specifically, ensure that the kernel includes the fix that uses cancel_work_sync() to safely cancel ondemand_object_worker() when dropping cachefiles objects. System administrators should audit their use of cachefiles and erofs filesystems and consider disabling cachefiles if not required. For critical systems, implement kernel live patching if available to minimize downtime. Additionally, monitor system logs for unusual kernel warnings or crashes related to cachefiles or ondemand_object_worker. Employ strict access controls to limit who can mount/unmount filesystems and interact with cachefiles. Finally, maintain robust backup and recovery procedures to mitigate potential denial of service impacts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.626Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe176d
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:56:20 AM
Last updated: 7/28/2025, 1:44:57 PM
Views: 10
Related Threats
CVE-2025-8929: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-8928: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-34154: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Synergetic Data Systems Inc. UnForm Server Manager
CriticalCVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-43988: n/a
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.