CVE-2024-43891: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Have format file honor EVENT_FILE_FL_FREED When eventfs was introduced, special care had to be done to coordinate the freeing of the file meta data with the files that are exposed to user space. The file meta data would have a ref count that is set when the file is created and would be decremented and freed after the last user that opened the file closed it. When the file meta data was to be freed, it would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed, and any new references made (like new opens or reads) would fail as it is marked freed. This allowed other meta data to be freed after this flag was set (under the event_mutex). All the files that were dynamically created in the events directory had a pointer to the file meta data and would call event_release() when the last reference to the user space file was closed. This would be the time that it is safe to free the file meta data. A shortcut was made for the "format" file. It's i_private would point to the "call" entry directly and not point to the file's meta data. This is because all format files are the same for the same "call", so it was thought there was no reason to differentiate them. The other files maintain state (like the "enable", "trigger", etc). But this meant if the file were to disappear, the "format" file would be unaware of it. This caused a race that could be trigger via the user_events test (that would create dynamic events and free them), and running a loop that would read the user_events format files: In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; done And in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/null With KASAN memory checking, it would trigger a use-after-free bug report (which was a real bug). This was because the format file was not checking the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the event that the file meta data pointed to after the event was freed. After inspection, there are other locations that were found to not check the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a new helper function: event_file_file() that will make sure that the event_mutex is held, and will return NULL if the trace_event_file has the EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file pointer use event_file_file() and check for NULL. Later uses can still use the event_file_data() helper function if the event_mutex is still held and was not released since the event_file_file() call.
AI Analysis
Technical Summary
CVE-2024-43891 is a use-after-free vulnerability in the Linux kernel's tracing subsystem, specifically related to the handling of dynamically created event files under the eventfs interface. The vulnerability arises because the "format" files, which expose metadata about trace events to user space, do not properly honor the EVENT_FILE_FL_FREED flag that indicates when the underlying file metadata has been freed. Normally, the Linux kernel manages the lifecycle of event files by maintaining reference counts and setting this flag when the file metadata is freed, preventing further access. However, the "format" file was implemented as a shortcut by pointing its i_private field directly to the call entry rather than the file's metadata structure. This design choice meant that the "format" file did not detect when the underlying event was freed, leading to a race condition where user space processes reading the "format" file could access freed memory. This was demonstrated by running concurrent loops: one creating and freeing dynamic events, and another continuously reading the "format" file, which triggered use-after-free bugs detectable by Kernel Address Sanitizer (KASAN). The root cause is the lack of checking the EVENT_FILE_FL_FREED flag in the "format" file's code path. The patch introduces a helper function event_file_file() that ensures the event_mutex is held and returns NULL if the file metadata is freed, preventing access to invalid memory. This fix also identifies other code paths lacking this check and applies the same guard. While the vulnerability requires concurrent operations on dynamic trace events and reading their format files, it exposes a kernel memory safety issue that could potentially be exploited to cause kernel crashes or information leaks. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels that include the vulnerable tracing subsystem code, especially those using dynamic tracing features or custom kernel tracing tools. The use-after-free condition could lead to kernel crashes (denial of service) or potentially allow attackers with local access to leak kernel memory or escalate privileges by exploiting the race condition. Organizations relying on Linux servers for critical infrastructure, cloud services, or embedded systems could face stability issues or security breaches if attackers can trigger this vulnerability. Since the attack requires concurrent access to tracing event files, it is more likely to be exploited by privileged or local users rather than remote attackers. However, in multi-tenant environments or shared hosting common in European data centers, a malicious user could leverage this flaw to disrupt services or gain unauthorized access. The vulnerability also affects kernel developers and testers using the user_events selftests, which could impact development pipelines. Overall, the impact is moderate but significant for environments where kernel tracing is enabled and accessible.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-43891 once available. Until patches are deployed, administrators should consider disabling or restricting access to the tracing subsystem, especially the eventfs interface and dynamic event creation features, to untrusted users. Limiting permissions on /sys/kernel/tracing and related directories can reduce the attack surface. Employing kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Organizations should audit their use of kernel tracing tools and ensure that only trusted personnel have access to these features. Additionally, monitoring kernel logs for unusual tracing activity or crashes may help detect exploitation attempts. For environments using custom or older kernels, backporting the patch or upgrading to a fixed kernel version is essential. Finally, incorporating this vulnerability into vulnerability management and incident response plans will ensure timely detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-43891: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Have format file honor EVENT_FILE_FL_FREED When eventfs was introduced, special care had to be done to coordinate the freeing of the file meta data with the files that are exposed to user space. The file meta data would have a ref count that is set when the file is created and would be decremented and freed after the last user that opened the file closed it. When the file meta data was to be freed, it would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed, and any new references made (like new opens or reads) would fail as it is marked freed. This allowed other meta data to be freed after this flag was set (under the event_mutex). All the files that were dynamically created in the events directory had a pointer to the file meta data and would call event_release() when the last reference to the user space file was closed. This would be the time that it is safe to free the file meta data. A shortcut was made for the "format" file. It's i_private would point to the "call" entry directly and not point to the file's meta data. This is because all format files are the same for the same "call", so it was thought there was no reason to differentiate them. The other files maintain state (like the "enable", "trigger", etc). But this meant if the file were to disappear, the "format" file would be unaware of it. This caused a race that could be trigger via the user_events test (that would create dynamic events and free them), and running a loop that would read the user_events format files: In one console run: # cd tools/testing/selftests/user_events # while true; do ./ftrace_test; done And in another console run: # cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/null With KASAN memory checking, it would trigger a use-after-free bug report (which was a real bug). This was because the format file was not checking the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the event that the file meta data pointed to after the event was freed. After inspection, there are other locations that were found to not check the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a new helper function: event_file_file() that will make sure that the event_mutex is held, and will return NULL if the trace_event_file has the EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file pointer use event_file_file() and check for NULL. Later uses can still use the event_file_data() helper function if the event_mutex is still held and was not released since the event_file_file() call.
AI-Powered Analysis
Technical Analysis
CVE-2024-43891 is a use-after-free vulnerability in the Linux kernel's tracing subsystem, specifically related to the handling of dynamically created event files under the eventfs interface. The vulnerability arises because the "format" files, which expose metadata about trace events to user space, do not properly honor the EVENT_FILE_FL_FREED flag that indicates when the underlying file metadata has been freed. Normally, the Linux kernel manages the lifecycle of event files by maintaining reference counts and setting this flag when the file metadata is freed, preventing further access. However, the "format" file was implemented as a shortcut by pointing its i_private field directly to the call entry rather than the file's metadata structure. This design choice meant that the "format" file did not detect when the underlying event was freed, leading to a race condition where user space processes reading the "format" file could access freed memory. This was demonstrated by running concurrent loops: one creating and freeing dynamic events, and another continuously reading the "format" file, which triggered use-after-free bugs detectable by Kernel Address Sanitizer (KASAN). The root cause is the lack of checking the EVENT_FILE_FL_FREED flag in the "format" file's code path. The patch introduces a helper function event_file_file() that ensures the event_mutex is held and returns NULL if the file metadata is freed, preventing access to invalid memory. This fix also identifies other code paths lacking this check and applies the same guard. While the vulnerability requires concurrent operations on dynamic trace events and reading their format files, it exposes a kernel memory safety issue that could potentially be exploited to cause kernel crashes or information leaks. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels that include the vulnerable tracing subsystem code, especially those using dynamic tracing features or custom kernel tracing tools. The use-after-free condition could lead to kernel crashes (denial of service) or potentially allow attackers with local access to leak kernel memory or escalate privileges by exploiting the race condition. Organizations relying on Linux servers for critical infrastructure, cloud services, or embedded systems could face stability issues or security breaches if attackers can trigger this vulnerability. Since the attack requires concurrent access to tracing event files, it is more likely to be exploited by privileged or local users rather than remote attackers. However, in multi-tenant environments or shared hosting common in European data centers, a malicious user could leverage this flaw to disrupt services or gain unauthorized access. The vulnerability also affects kernel developers and testers using the user_events selftests, which could impact development pipelines. Overall, the impact is moderate but significant for environments where kernel tracing is enabled and accessible.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-43891 once available. Until patches are deployed, administrators should consider disabling or restricting access to the tracing subsystem, especially the eventfs interface and dynamic event creation features, to untrusted users. Limiting permissions on /sys/kernel/tracing and related directories can reduce the attack surface. Employing kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Organizations should audit their use of kernel tracing tools and ensure that only trusted personnel have access to these features. Additionally, monitoring kernel logs for unusual tracing activity or crashes may help detect exploitation attempts. For environments using custom or older kernels, backporting the patch or upgrading to a fixed kernel version is essential. Finally, incorporating this vulnerability into vulnerability management and incident response plans will ensure timely detection and remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-17T09:11:59.290Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0bea
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:26:44 PM
Last updated: 8/3/2025, 6:28:04 PM
Views: 14
Related Threats
CVE-2025-8956: Command Injection in D-Link DIR‑818L
MediumCVE-2025-7761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Akcess-Net Lepszy BIP
MediumCVE-2025-55346: CWE-94 Improper Control of Generation of Code ('Code Injection')
CriticalCVE-2025-8943
CriticalCVE-2025-8047: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in disable-right-click-powered-by-pixterme
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.