CVE-2024-41053: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_abort_one racing issue When ufshcd_abort_one is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by ISR. Return success when request is completed by ISR because ufshcd_abort_one does not need to do anything. The racing flow is: Thread A ufshcd_err_handler step 1 ... ufshcd_abort_one ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace. ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. ufshcd_try_to_abort_task: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
AI Analysis
Technical Summary
CVE-2024-41053 is a race condition vulnerability in the Linux kernel's UFS (Universal Flash Storage) subsystem, specifically within the ufshcd_abort_one function. The vulnerability arises due to a race between the abort operation (ufshcd_abort_one) and the completion interrupt service routine (ISR) for SCSI commands handled by the UFS host controller driver. In this scenario, the ISR sets the mq_hctx pointer of a request to NULL upon completion, while concurrently, the abort function attempts to access this pointer without proper synchronization. This leads to a NULL pointer dereference, causing a kernel crash (NULL pointer dereference at virtual address 0x194) and resulting in a denial of service (DoS) condition. The kernel stack trace shows the failure occurs in blk_mq_unique_tag, called from ufshcd_mcq_req_to_hwq, triggered during error handling and abort attempts of SCSI commands. The root cause is the lack of proper coordination between the ISR freeing the request and the abort logic checking the request's state, leading to use-after-free or invalid pointer dereferencing. This vulnerability affects specific Linux kernel versions identified by commit hashes and is resolved by ensuring that ufshcd_abort_one returns success immediately if the ISR has already completed the request, preventing further access to freed or NULL pointers. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with UFS storage devices, common in embedded systems, mobile devices, and some server/storage appliances. Exploitation leads to kernel crashes and system instability, resulting in denial of service. This can disrupt critical infrastructure, industrial control systems, or enterprise servers relying on Linux with UFS storage, causing downtime and potential data loss if systems reboot unexpectedly. While it does not directly lead to privilege escalation or data leakage, the DoS impact can affect availability of services, which is critical for sectors like finance, healthcare, and manufacturing prevalent in Europe. Organizations using Linux-based network equipment, IoT devices, or storage appliances with UFS may experience operational disruptions. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel means that attackers with local access or the ability to trigger aborts could cause crashes, making it a concern for maintaining system reliability.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2024-41053 as soon as they become available, ensuring the ufshcd_abort_one race condition is fixed. 2) Identify and inventory all systems using affected Linux kernel versions with UFS storage, including embedded devices and servers, to prioritize patching. 3) Where patching is not immediately feasible, consider disabling or limiting UFS device usage or isolating affected systems to reduce exposure. 4) Implement monitoring for kernel crashes and abnormal system reboots that could indicate exploitation attempts. 5) For critical infrastructure, conduct controlled testing of updated kernels to validate stability before deployment. 6) Employ strict access controls to limit local user access, as exploitation requires triggering kernel abort sequences. 7) Collaborate with hardware vendors to ensure firmware compatibility with updated kernel versions. These steps go beyond generic advice by focusing on inventory, controlled patch deployment, and operational monitoring tailored to the specific nature of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2024-41053: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix ufshcd_abort_one racing issue When ufshcd_abort_one is racing with the completion ISR, the completed tag of the request's mq_hctx pointer will be set to NULL by ISR. Return success when request is completed by ISR because ufshcd_abort_one does not need to do anything. The racing flow is: Thread A ufshcd_err_handler step 1 ... ufshcd_abort_one ufshcd_try_to_abort_task ufshcd_cmd_inflight(true) step 3 ufshcd_mcq_req_to_hwq blk_mq_unique_tag rq->mq_hctx->queue_num step 5 Thread B ufs_mtk_mcq_intr(cq complete ISR) step 2 scsi_done ... __blk_mq_free_request rq->mq_hctx = NULL; step 4 Below is KE back trace. ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device. ufshcd_try_to_abort_task: cmd at tag=41 is cleared. Aborting tag 41 / CDB 0x28 succeeded Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194 pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14 lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise] do_mem_abort+0x58/0x118 el1_abort+0x3c/0x5c el1h_64_sync_handler+0x54/0x90 el1h_64_sync+0x68/0x6c blk_mq_unique_tag+0x8/0x14 ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise] process_one_work+0x208/0x4fc worker_thread+0x228/0x438 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20
AI-Powered Analysis
Technical Analysis
CVE-2024-41053 is a race condition vulnerability in the Linux kernel's UFS (Universal Flash Storage) subsystem, specifically within the ufshcd_abort_one function. The vulnerability arises due to a race between the abort operation (ufshcd_abort_one) and the completion interrupt service routine (ISR) for SCSI commands handled by the UFS host controller driver. In this scenario, the ISR sets the mq_hctx pointer of a request to NULL upon completion, while concurrently, the abort function attempts to access this pointer without proper synchronization. This leads to a NULL pointer dereference, causing a kernel crash (NULL pointer dereference at virtual address 0x194) and resulting in a denial of service (DoS) condition. The kernel stack trace shows the failure occurs in blk_mq_unique_tag, called from ufshcd_mcq_req_to_hwq, triggered during error handling and abort attempts of SCSI commands. The root cause is the lack of proper coordination between the ISR freeing the request and the abort logic checking the request's state, leading to use-after-free or invalid pointer dereferencing. This vulnerability affects specific Linux kernel versions identified by commit hashes and is resolved by ensuring that ufshcd_abort_one returns success immediately if the ISR has already completed the request, preventing further access to freed or NULL pointers. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with UFS storage devices, common in embedded systems, mobile devices, and some server/storage appliances. Exploitation leads to kernel crashes and system instability, resulting in denial of service. This can disrupt critical infrastructure, industrial control systems, or enterprise servers relying on Linux with UFS storage, causing downtime and potential data loss if systems reboot unexpectedly. While it does not directly lead to privilege escalation or data leakage, the DoS impact can affect availability of services, which is critical for sectors like finance, healthcare, and manufacturing prevalent in Europe. Organizations using Linux-based network equipment, IoT devices, or storage appliances with UFS may experience operational disruptions. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel means that attackers with local access or the ability to trigger aborts could cause crashes, making it a concern for maintaining system reliability.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2024-41053 as soon as they become available, ensuring the ufshcd_abort_one race condition is fixed. 2) Identify and inventory all systems using affected Linux kernel versions with UFS storage, including embedded devices and servers, to prioritize patching. 3) Where patching is not immediately feasible, consider disabling or limiting UFS device usage or isolating affected systems to reduce exposure. 4) Implement monitoring for kernel crashes and abnormal system reboots that could indicate exploitation attempts. 5) For critical infrastructure, conduct controlled testing of updated kernels to validate stability before deployment. 6) Employ strict access controls to limit local user access, as exploitation requires triggering kernel abort sequences. 7) Collaborate with hardware vendors to ensure firmware compatibility with updated kernel versions. These steps go beyond generic advice by focusing on inventory, controlled patch deployment, and operational monitoring tailored to the specific nature of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.626Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1784
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 3:56:38 AM
Last updated: 7/27/2025, 2:42:41 PM
Views: 10
Related Threats
CVE-2025-20044: Escalation of Privilege in Intel(R) TDX Module firmware
MediumCVE-2025-49568: Use After Free (CWE-416) in Adobe Illustrator
MediumCVE-2025-49567: NULL Pointer Dereference (CWE-476) in Adobe Illustrator
MediumCVE-2025-49564: Stack-based Buffer Overflow (CWE-121) in Adobe Illustrator
HighCVE-2025-49563: Out-of-bounds Write (CWE-787) in Adobe Illustrator
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.