CVE-2024-42104 is a vulnerability identified in the Linux kernel's handling of the NILFS2 (New Implementation of a Log-structured File System version 2) filesystem. The issue arises due to a missing check for inode numbers on directory entries within NILFS2. Specifically, when mounting and unmounting specially crafted corrupted NILFS2 filesystem images, a use-after-free condition can occur involving metadata file inodes. This happens because the link count of a metadata file inode is corrupted to zero, leading the kernel function nilfs_evict_inode(), invoked during inode release (iput()), to erroneously delete this inode. The root cause is that directories containing inode numbers of internal metadata files, which should not be visible or accessible in the filesystem namespace, are read without proper validation. Consequently, this inode inconsistency triggers a kernel bug in the memory management function lru_add_fn(), potentially causing kernel crashes or undefined behavior. The fix implemented involves enhancing the sanity checks during directory page reads to treat inode numbers of these internal files as errors, preventing the exposure and misuse of these inodes. This vulnerability was reported by Syzbot and analyzed with contributions from kernel developers including Jan Kara, Hillf Danton, and Matthew Wilcox. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-42104 can be significant, especially for those relying on Linux systems with NILFS2 filesystems, which are often used in specialized storage environments requiring log-structured filesystems for performance or reliability reasons. Exploitation of this vulnerability could lead to kernel crashes (denial of service), potential data corruption, or system instability. Although no direct remote exploitation vector is described, attackers with the ability to mount or manipulate NILFS2 filesystem images locally or via compromised accounts could trigger the vulnerability. This could disrupt critical services, particularly in sectors like telecommunications, finance, research institutions, and cloud providers that use Linux extensively. The use-after-free condition could also be a stepping stone for privilege escalation or further kernel-level exploits if combined with other vulnerabilities, increasing the risk profile. The absence of known exploits suggests a window for proactive patching before widespread attacks occur.

European organizations should prioritize applying the patch provided by the Linux kernel maintainers that addresses this inode validation issue in NILFS2. System administrators should audit their environments to identify any use of NILFS2 filesystems and assess exposure. Where NILFS2 is not required, consider migrating to more commonly used and actively maintained filesystems like ext4 or XFS to reduce risk. Implement strict access controls to limit who can mount or manipulate filesystem images, especially in multi-tenant or shared environments. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enable security modules like SELinux or AppArmor to restrict kernel interactions. Regularly monitor kernel logs for anomalies related to inode handling or filesystem mounts. Additionally, incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation if exploitation attempts are observed.