CVE-2024-41057: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 process_one_work+0x7fa/0x1800 [...] Allocated by task 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 process_one_work+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x920 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&fscache_cache->object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&object->ref, 1); object->volume = volume fscache_count_object(vcookie->cache); atomic_inc(&fscache_cache->object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = object->volume->cache; // cachefiles_volume UAF !!! After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscache_cache->object_count == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscache_withdraw_volume() before calling cachefiles_withdraw_objects(). This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two cases will occur: 1) fscache_begin_lookup fails in fscache_begin_volume_access(). 2) fscache_withdraw_volume() will ensure that fscache_count_object() has been executed before calling fscache_wait_for_objects().
AI Analysis
Technical Summary
CVE-2024-41057 is a use-after-free vulnerability found in the Linux kernel's cachefiles subsystem, specifically within the function cachefiles_withdraw_cookie(). The vulnerability arises due to improper handling of cache volume objects during withdrawal operations. The kernel's cachefiles module manages local caching of network filesystems, and this flaw occurs when the system withdraws a cache volume but continues to access freed memory associated with that volume. The issue was discovered through fault injection stress testing, which revealed a slab-use-after-free error triggered by concurrent operations involving cache volume withdrawal and cookie lookups. The root cause is a race condition where the cachefiles_withdraw_cookie() function accesses a cachefiles_volume object after it has been freed, leading to a use-after-free scenario. The fix involves reordering operations to ensure that the cache volume is withdrawn before objects are withdrawn, and waiting for all cookie lookups to complete before freeing the volume. This prevents the kernel from accessing freed memory and eliminates the use-after-free condition. The vulnerability affects Linux kernel versions identified by the commit hash fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and similar versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability impacts kernel stability and could potentially be leveraged to cause denial of service or escalate privileges if exploited, due to the kernel memory corruption it introduces.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected cachefiles module enabled, especially those utilizing network filesystem caching. The use-after-free can lead to kernel crashes (denial of service), system instability, or potentially privilege escalation if an attacker can trigger the flaw. This is particularly concerning for enterprises relying on Linux servers for critical infrastructure, cloud services, or network-attached storage solutions. Given the widespread use of Linux in European data centers, telecommunications, and government infrastructure, exploitation could disrupt services or compromise system integrity. However, exploitation complexity is moderate as it requires triggering specific cachefiles operations, and no public exploits are known yet. The impact on confidentiality could be limited but integrity and availability are at higher risk. Organizations with high availability requirements or those running sensitive workloads on vulnerable Linux kernels should prioritize remediation to avoid service interruptions or potential security breaches.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-41057 as soon as they become available from trusted sources or Linux distributions. 2. For organizations using custom or embedded Linux kernels, backport the patch or upgrade the kernel to a fixed version. 3. Disable the cachefiles module if it is not required, to eliminate the attack surface related to this vulnerability. 4. Implement strict access controls and monitoring on systems running vulnerable kernels to detect unusual cachefiles activity or kernel crashes. 5. Use kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues early. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service incidents caused by exploitation attempts. 7. Collaborate with Linux distribution vendors to ensure timely updates and communicate the importance of patching to system administrators.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-41057: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 process_one_work+0x7fa/0x1800 [...] Allocated by task 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 process_one_work+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x920 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&fscache_cache->object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&object->ref, 1); object->volume = volume fscache_count_object(vcookie->cache); atomic_inc(&fscache_cache->object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = object->volume->cache; // cachefiles_volume UAF !!! After setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscache_cache->object_count == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscache_withdraw_volume() before calling cachefiles_withdraw_objects(). This way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two cases will occur: 1) fscache_begin_lookup fails in fscache_begin_volume_access(). 2) fscache_withdraw_volume() will ensure that fscache_count_object() has been executed before calling fscache_wait_for_objects().
AI-Powered Analysis
Technical Analysis
CVE-2024-41057 is a use-after-free vulnerability found in the Linux kernel's cachefiles subsystem, specifically within the function cachefiles_withdraw_cookie(). The vulnerability arises due to improper handling of cache volume objects during withdrawal operations. The kernel's cachefiles module manages local caching of network filesystems, and this flaw occurs when the system withdraws a cache volume but continues to access freed memory associated with that volume. The issue was discovered through fault injection stress testing, which revealed a slab-use-after-free error triggered by concurrent operations involving cache volume withdrawal and cookie lookups. The root cause is a race condition where the cachefiles_withdraw_cookie() function accesses a cachefiles_volume object after it has been freed, leading to a use-after-free scenario. The fix involves reordering operations to ensure that the cache volume is withdrawn before objects are withdrawn, and waiting for all cookie lookups to complete before freeing the volume. This prevents the kernel from accessing freed memory and eliminates the use-after-free condition. The vulnerability affects Linux kernel versions identified by the commit hash fe2140e2f57fef8562e0f9b7cd447d2b08dc2f35 and similar versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability impacts kernel stability and could potentially be leveraged to cause denial of service or escalate privileges if exploited, due to the kernel memory corruption it introduces.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected cachefiles module enabled, especially those utilizing network filesystem caching. The use-after-free can lead to kernel crashes (denial of service), system instability, or potentially privilege escalation if an attacker can trigger the flaw. This is particularly concerning for enterprises relying on Linux servers for critical infrastructure, cloud services, or network-attached storage solutions. Given the widespread use of Linux in European data centers, telecommunications, and government infrastructure, exploitation could disrupt services or compromise system integrity. However, exploitation complexity is moderate as it requires triggering specific cachefiles operations, and no public exploits are known yet. The impact on confidentiality could be limited but integrity and availability are at higher risk. Organizations with high availability requirements or those running sensitive workloads on vulnerable Linux kernels should prioritize remediation to avoid service interruptions or potential security breaches.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-41057 as soon as they become available from trusted sources or Linux distributions. 2. For organizations using custom or embedded Linux kernels, backport the patch or upgrade the kernel to a fixed version. 3. Disable the cachefiles module if it is not required, to eliminate the attack surface related to this vulnerability. 4. Implement strict access controls and monitoring on systems running vulnerable kernels to detect unusual cachefiles activity or kernel crashes. 5. Use kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues early. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service incidents caused by exploitation attempts. 7. Collaborate with Linux distribution vendors to ensure timely updates and communicate the importance of patching to system administrators.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.627Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1790
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 4:09:47 AM
Last updated: 7/30/2025, 8:36:47 PM
Views: 10
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.