CVE-2024-42152: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nvmet: fix a possible leak when destroy a ctrl during qp establishment In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we know that a ctrl was allocated (in the admin connect request handler) and we need to release pending AERs, clear ctrl->sqs and sq->ctrl (for nvme-loop primarily), and drop the final reference on the ctrl. However, a small window is possible where nvmet_sq_destroy starts (as a result of the client giving up and disconnecting) concurrently with the nvme admin connect cmd (which may be in an early stage). But *before* kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq live reference). In this case, sq->ctrl was allocated however after it was captured in a local variable in nvmet_sq_destroy. This prevented the final reference drop on the ctrl. Solve this by re-capturing the sq->ctrl after all inflight request has completed, where for sure sq->ctrl reference is final, and move forward based on that. This issue was observed in an environment with many hosts connecting multiple ctrls simoutanuosly, creating a delay in allocating a ctrl leading up to this race window.
AI Analysis
Technical Summary
CVE-2024-42152 is a vulnerability identified in the Linux kernel's NVMe target (nvmet) subsystem, specifically related to the handling of controller (ctrl) destruction during queue pair (qp) establishment. The issue arises in the nvmet_sq_destroy function, which is responsible for cleaning up submission queues (sq) and their associated controllers. The vulnerability is a race condition that can occur when a client disconnects while the admin connect command is still in an early stage of processing. In this scenario, the ctrl object is allocated but the final reference drop on the ctrl does not occur due to a timing window where nvmet_sq_destroy captures the ctrl pointer early and proceeds without re-checking it after all inflight requests complete. This leads to a possible resource leak where the ctrl object is not properly released. The root cause is the concurrent execution of nvmet_sq_destroy triggered by client disconnection and the admin connect command handling, which creates a small window where the ctrl reference management is inconsistent. This vulnerability was observed in environments with many hosts connecting multiple controllers simultaneously, causing delays in ctrl allocation and increasing the likelihood of hitting this race condition. The fix involves re-capturing the sq->ctrl pointer after all inflight requests have completed to ensure the final reference drop on the ctrl is correctly performed, thus preventing the leak. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, especially those operating data centers, cloud services, or storage infrastructures relying on Linux servers with NVMe target support, this vulnerability could lead to resource exhaustion due to leaked controller references. Over time, this leak may degrade system performance, cause instability, or lead to denial of service conditions if the kernel runs out of resources to allocate new controllers or queues. Although the vulnerability does not directly allow code execution or privilege escalation, the resulting resource leak can disrupt critical storage services, impacting availability and reliability. Organizations with high-density NVMe target deployments or those supporting multiple simultaneous NVMe connections are at greater risk. The impact is primarily on availability and system stability rather than confidentiality or integrity. Since exploitation requires specific conditions involving multiple hosts connecting simultaneously and client disconnections during admin connect commands, the risk is more pronounced in large-scale or multi-tenant environments common in European cloud providers and enterprises.
Mitigation Recommendations
European organizations should promptly apply the Linux kernel patch that addresses CVE-2024-42152 once it is available from their Linux distribution vendors. Until patched, administrators should monitor nvmet subsystem logs for signs of abnormal controller reference counts or resource leaks. Limiting the number of simultaneous NVMe target connections or implementing connection throttling can reduce the race window exposure. Additionally, organizations should audit their NVMe target usage patterns to identify high concurrency scenarios and consider isolating critical NVMe services on dedicated hosts to minimize impact. Employing kernel live patching solutions where supported can reduce downtime during remediation. Regular kernel updates and testing in staging environments are essential to ensure stability and security. Finally, maintaining robust monitoring and alerting on kernel resource usage will help detect early signs of exploitation or system degradation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2024-42152: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nvmet: fix a possible leak when destroy a ctrl during qp establishment In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we know that a ctrl was allocated (in the admin connect request handler) and we need to release pending AERs, clear ctrl->sqs and sq->ctrl (for nvme-loop primarily), and drop the final reference on the ctrl. However, a small window is possible where nvmet_sq_destroy starts (as a result of the client giving up and disconnecting) concurrently with the nvme admin connect cmd (which may be in an early stage). But *before* kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq live reference). In this case, sq->ctrl was allocated however after it was captured in a local variable in nvmet_sq_destroy. This prevented the final reference drop on the ctrl. Solve this by re-capturing the sq->ctrl after all inflight request has completed, where for sure sq->ctrl reference is final, and move forward based on that. This issue was observed in an environment with many hosts connecting multiple ctrls simoutanuosly, creating a delay in allocating a ctrl leading up to this race window.
AI-Powered Analysis
Technical Analysis
CVE-2024-42152 is a vulnerability identified in the Linux kernel's NVMe target (nvmet) subsystem, specifically related to the handling of controller (ctrl) destruction during queue pair (qp) establishment. The issue arises in the nvmet_sq_destroy function, which is responsible for cleaning up submission queues (sq) and their associated controllers. The vulnerability is a race condition that can occur when a client disconnects while the admin connect command is still in an early stage of processing. In this scenario, the ctrl object is allocated but the final reference drop on the ctrl does not occur due to a timing window where nvmet_sq_destroy captures the ctrl pointer early and proceeds without re-checking it after all inflight requests complete. This leads to a possible resource leak where the ctrl object is not properly released. The root cause is the concurrent execution of nvmet_sq_destroy triggered by client disconnection and the admin connect command handling, which creates a small window where the ctrl reference management is inconsistent. This vulnerability was observed in environments with many hosts connecting multiple controllers simultaneously, causing delays in ctrl allocation and increasing the likelihood of hitting this race condition. The fix involves re-capturing the sq->ctrl pointer after all inflight requests have completed to ensure the final reference drop on the ctrl is correctly performed, thus preventing the leak. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, especially those operating data centers, cloud services, or storage infrastructures relying on Linux servers with NVMe target support, this vulnerability could lead to resource exhaustion due to leaked controller references. Over time, this leak may degrade system performance, cause instability, or lead to denial of service conditions if the kernel runs out of resources to allocate new controllers or queues. Although the vulnerability does not directly allow code execution or privilege escalation, the resulting resource leak can disrupt critical storage services, impacting availability and reliability. Organizations with high-density NVMe target deployments or those supporting multiple simultaneous NVMe connections are at greater risk. The impact is primarily on availability and system stability rather than confidentiality or integrity. Since exploitation requires specific conditions involving multiple hosts connecting simultaneously and client disconnections during admin connect commands, the risk is more pronounced in large-scale or multi-tenant environments common in European cloud providers and enterprises.
Mitigation Recommendations
European organizations should promptly apply the Linux kernel patch that addresses CVE-2024-42152 once it is available from their Linux distribution vendors. Until patched, administrators should monitor nvmet subsystem logs for signs of abnormal controller reference counts or resource leaks. Limiting the number of simultaneous NVMe target connections or implementing connection throttling can reduce the race window exposure. Additionally, organizations should audit their NVMe target usage patterns to identify high concurrency scenarios and consider isolating critical NVMe services on dedicated hosts to minimize impact. Employing kernel live patching solutions where supported can reduce downtime during remediation. Regular kernel updates and testing in staging environments are essential to ensure stability and security. Finally, maintaining robust monitoring and alerting on kernel resource usage will help detect early signs of exploitation or system degradation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-29T15:50:41.193Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1be8
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 5:54:36 AM
Last updated: 8/13/2025, 5:14:46 AM
Views: 11
Related Threats
CVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.