CVE-2024-41058: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasan_check_range+0xf6/0x1b0 fscache_withdraw_volume+0x2e1/0x370 cachefiles_withdraw_volume+0x31/0x50 cachefiles_withdraw_cache+0x3ad/0x900 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 Allocated by task 5820: __kmalloc+0x1df/0x4b0 fscache_alloc_volume+0x70/0x600 __fscache_acquire_volume+0x1c/0x610 erofs_fscache_register_volume+0x96/0x1a0 erofs_fscache_register_fs+0x49a/0x690 erofs_fc_fill_super+0x6c0/0xcc0 vfs_get_super+0xa9/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] Freed by task 5820: kfree+0xf1/0x2c0 fscache_put_volume.part.0+0x5cb/0x9e0 erofs_fscache_unregister_fs+0x157/0x1b0 erofs_kill_sb+0xd9/0x1c0 deactivate_locked_super+0xa3/0x100 vfs_get_super+0x105/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] ================================================================== Following is the process that triggers the issue: mount failed | daemon exit ------------------------------------------------------------ deactivate_locked_super cachefiles_daemon_release erofs_kill_sb erofs_fscache_unregister_fs fscache_relinquish_volume __fscache_relinquish_volume fscache_put_volume(fscache_volume, fscache_volume_put_relinquish) zero = __refcount_dec_and_test(&fscache_volume->ref, &ref); cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache cachefiles_withdraw_volumes list_del_init(&volume->cache_link) fscache_free_volume(fscache_volume) cache->ops->free_volume cachefiles_free_volume list_del_init(&cachefiles_volume->cache_link); kfree(fscache_volume) cachefiles_withdraw_volume fscache_withdraw_volume fscache_volume->n_accesses // fscache_volume UAF !!! The fscache_volume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscache_try_get_volume() helper function try to get its reference count. If the reference count of fscache_volume is 0, fscache_put_volume() is freeing it, so wait for it to be removed from cache->volumes. If its reference count is not 0, call cachefiles_withdraw_volume() with reference count protection to avoid the above issue.
AI Analysis
Technical Summary
CVE-2024-41058 is a use-after-free vulnerability identified in the Linux kernel's cachefiles subsystem, specifically within the fscache_withdraw_volume() function. The issue arises due to improper reference count handling of the fscache_volume structure. During the process of withdrawing a volume from the cache, the reference count of the fscache_volume may reach zero, triggering its deallocation via fscache_put_volume(). However, subsequent code paths still attempt to access this freed memory, leading to a slab-use-after-free condition. This was discovered through fault injection stress testing and is evidenced by a KASAN (Kernel Address Sanitizer) error indicating a read of freed memory. The root cause is that the volume is removed from the cache->volumes list before ensuring that no further references exist, and the code does not adequately protect against concurrent access or delayed references. The fix involves using the new helper function fscache_try_get_volume() to safely check and increment the reference count before accessing the volume, ensuring that if the reference count is zero (and the volume is being freed), the code waits for the volume to be fully removed from the cache list before proceeding. This prevents the use-after-free by enforcing proper reference count protection and synchronization. The vulnerability affects Linux kernel versions around 6.8.0 and potentially others using the cachefiles and fscache subsystems. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the cachefiles feature enabled, which is commonly used to improve filesystem caching performance, especially in environments leveraging networked or distributed filesystems. Exploitation of this use-after-free could lead to kernel crashes (denial of service) or potentially enable local privilege escalation or arbitrary code execution within the kernel context if an attacker can manipulate the cachefiles subsystem. This is particularly concerning for critical infrastructure, cloud service providers, and enterprises relying on Linux-based servers for file storage and caching. The impact on confidentiality, integrity, and availability could be significant if exploited, as kernel-level compromise can lead to full system control. However, exploitation requires local access and triggering specific cachefiles operations, which somewhat limits the attack surface. Still, the vulnerability could be leveraged by malicious insiders or through chained exploits in multi-tenant environments. Given the widespread use of Linux in European data centers, telecommunications, and government systems, the vulnerability could affect a broad range of sectors.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since no official patch links are provided, monitoring Linux kernel mailing lists and vendor advisories for the fix is critical. In the interim, organizations should audit and potentially disable the cachefiles feature if not essential, as this reduces the attack surface. System administrators should also restrict local access to trusted users only, employ strict access controls, and monitor kernel logs for unusual cachefiles-related errors or crashes. For environments using networked filesystems relying on cachefiles, consider alternative caching mechanisms or enhanced isolation to mitigate risk. Additionally, enabling kernel hardening features such as KASAN in testing environments can help detect similar issues proactively. Regular vulnerability scanning and penetration testing focusing on kernel subsystems can also aid in early detection of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-41058: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370 Read of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798 CPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565 Call Trace: kasan_check_range+0xf6/0x1b0 fscache_withdraw_volume+0x2e1/0x370 cachefiles_withdraw_volume+0x31/0x50 cachefiles_withdraw_cache+0x3ad/0x900 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 Allocated by task 5820: __kmalloc+0x1df/0x4b0 fscache_alloc_volume+0x70/0x600 __fscache_acquire_volume+0x1c/0x610 erofs_fscache_register_volume+0x96/0x1a0 erofs_fscache_register_fs+0x49a/0x690 erofs_fc_fill_super+0x6c0/0xcc0 vfs_get_super+0xa9/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] Freed by task 5820: kfree+0xf1/0x2c0 fscache_put_volume.part.0+0x5cb/0x9e0 erofs_fscache_unregister_fs+0x157/0x1b0 erofs_kill_sb+0xd9/0x1c0 deactivate_locked_super+0xa3/0x100 vfs_get_super+0x105/0x140 vfs_get_tree+0x8e/0x300 do_new_mount+0x28c/0x580 [...] ================================================================== Following is the process that triggers the issue: mount failed | daemon exit ------------------------------------------------------------ deactivate_locked_super cachefiles_daemon_release erofs_kill_sb erofs_fscache_unregister_fs fscache_relinquish_volume __fscache_relinquish_volume fscache_put_volume(fscache_volume, fscache_volume_put_relinquish) zero = __refcount_dec_and_test(&fscache_volume->ref, &ref); cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache cachefiles_withdraw_volumes list_del_init(&volume->cache_link) fscache_free_volume(fscache_volume) cache->ops->free_volume cachefiles_free_volume list_del_init(&cachefiles_volume->cache_link); kfree(fscache_volume) cachefiles_withdraw_volume fscache_withdraw_volume fscache_volume->n_accesses // fscache_volume UAF !!! The fscache_volume in cache->volumes must not have been freed yet, but its reference count may be 0. So use the new fscache_try_get_volume() helper function try to get its reference count. If the reference count of fscache_volume is 0, fscache_put_volume() is freeing it, so wait for it to be removed from cache->volumes. If its reference count is not 0, call cachefiles_withdraw_volume() with reference count protection to avoid the above issue.
AI-Powered Analysis
Technical Analysis
CVE-2024-41058 is a use-after-free vulnerability identified in the Linux kernel's cachefiles subsystem, specifically within the fscache_withdraw_volume() function. The issue arises due to improper reference count handling of the fscache_volume structure. During the process of withdrawing a volume from the cache, the reference count of the fscache_volume may reach zero, triggering its deallocation via fscache_put_volume(). However, subsequent code paths still attempt to access this freed memory, leading to a slab-use-after-free condition. This was discovered through fault injection stress testing and is evidenced by a KASAN (Kernel Address Sanitizer) error indicating a read of freed memory. The root cause is that the volume is removed from the cache->volumes list before ensuring that no further references exist, and the code does not adequately protect against concurrent access or delayed references. The fix involves using the new helper function fscache_try_get_volume() to safely check and increment the reference count before accessing the volume, ensuring that if the reference count is zero (and the volume is being freed), the code waits for the volume to be fully removed from the cache list before proceeding. This prevents the use-after-free by enforcing proper reference count protection and synchronization. The vulnerability affects Linux kernel versions around 6.8.0 and potentially others using the cachefiles and fscache subsystems. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the cachefiles feature enabled, which is commonly used to improve filesystem caching performance, especially in environments leveraging networked or distributed filesystems. Exploitation of this use-after-free could lead to kernel crashes (denial of service) or potentially enable local privilege escalation or arbitrary code execution within the kernel context if an attacker can manipulate the cachefiles subsystem. This is particularly concerning for critical infrastructure, cloud service providers, and enterprises relying on Linux-based servers for file storage and caching. The impact on confidentiality, integrity, and availability could be significant if exploited, as kernel-level compromise can lead to full system control. However, exploitation requires local access and triggering specific cachefiles operations, which somewhat limits the attack surface. Still, the vulnerability could be leveraged by malicious insiders or through chained exploits in multi-tenant environments. Given the widespread use of Linux in European data centers, telecommunications, and government systems, the vulnerability could affect a broad range of sectors.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since no official patch links are provided, monitoring Linux kernel mailing lists and vendor advisories for the fix is critical. In the interim, organizations should audit and potentially disable the cachefiles feature if not essential, as this reduces the attack surface. System administrators should also restrict local access to trusted users only, employ strict access controls, and monitor kernel logs for unusual cachefiles-related errors or crashes. For environments using networked filesystems relying on cachefiles, consider alternative caching mechanisms or enhanced isolation to mitigate risk. Additionally, enabling kernel hardening features such as KASAN in testing environments can help detect similar issues proactively. Regular vulnerability scanning and penetration testing focusing on kernel subsystems can also aid in early detection of exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.627Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1798
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 4:09:58 AM
Last updated: 8/4/2025, 2:34:41 PM
Views: 10
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.