CVE-2024-46701: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: libfs: fix infinite directory reads for offset dir After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations, every rename happened will fill new dentry to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below). 1. create 5000 files(1 2 3...) under one dir 2. call readdir(man 3 readdir) once, and get one entry 3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry) 4. loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition) We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite directory reads") to fix it, record the last_index when we open dir, and do not emit the entry which index >= last_index. The file->private_data now used in offset dir can use directly to do this, and we also update the last_index when we llseek the dir file. [brauner: only update last_index after seek when offset is zero like Jan suggested]
AI Analysis
Technical Summary
CVE-2024-46701 is a vulnerability identified in the Linux kernel's handling of directory reads within the tmpfs filesystem, specifically related to the libfs component managing directory operations. The issue arises after tmpfs directory operations were switched from simple_dir_operations to simple_offset_dir_operations. During rename operations, new directory entries (dentries) are inserted into the destination directory's maple tree structure with keys starting from a new offset value. This offset is then incremented improperly, which causes an infinite loop during directory reads (readdir) when combined with concurrent rename operations. The vulnerability manifests when a process repeatedly reads directory entries and renames files back and forth, causing readdir to loop indefinitely without returning an end-of-directory indication. This behavior was observed in the xfstests generic/736 test case, which simulates creating thousands of files, performing readdir calls, and renaming files repeatedly until the readdir call fails or loops excessively. The root cause is that the directory reading logic does not properly track the last read index, causing it to emit entries repeatedly. The fix implemented mirrors a previous patch for btrfs that records the last_index when opening a directory and prevents emitting entries with indices greater than or equal to this last_index. The file's private_data structure is used to track this last_index, which is updated upon seeking the directory file, but only when the offset is reset to zero. This correction prevents infinite loops by ensuring directory reads terminate correctly after the last entry is read. No known exploits are reported in the wild, and the vulnerability affects Linux kernel versions identified by the commit hash a2e459555c5f9da3e619b7e47a63f98574dc75f1. No CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability could lead to denial of service (DoS) conditions on systems using tmpfs, a common in-memory filesystem used for temporary storage. The infinite loop in directory reads can cause processes that rely on reading directory contents to hang or consume excessive CPU resources, potentially degrading system performance or causing application failures. This is particularly critical for servers and infrastructure relying on tmpfs for caching, temporary file storage, or runtime data, including cloud environments, container platforms, and embedded Linux devices. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could disrupt critical services, impacting availability and operational continuity. Systems heavily utilizing tmpfs for high-frequency file operations or automated scripts performing rename and directory read cycles are at higher risk. The absence of known exploits reduces immediate threat, but the vulnerability's presence in the Linux kernel means that unpatched systems remain vulnerable to potential future exploitation or accidental triggering by benign workloads.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch fixing CVE-2024-46701. Since the vulnerability relates to tmpfs directory operations, kernel updates from trusted Linux distributions should be applied promptly. For environments where immediate patching is not feasible, administrators should monitor and limit workloads that perform intensive rename and readdir operations on tmpfs directories, especially scripts or applications that create and rename large numbers of files rapidly. Implementing resource limits (e.g., CPU and I/O throttling) on processes interacting heavily with tmpfs can reduce the risk of system resource exhaustion. Additionally, monitoring system logs and performance metrics for unusual CPU spikes or hangs related to directory operations can help detect attempts to trigger this vulnerability. Containerized environments should ensure base images use updated kernels and avoid tmpfs misuse in application logic. Finally, security teams should maintain awareness of kernel updates and advisories from Linux vendors and test patches in staging environments before production deployment to avoid regressions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-46701: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: libfs: fix infinite directory reads for offset dir After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations, every rename happened will fill new dentry to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below). 1. create 5000 files(1 2 3...) under one dir 2. call readdir(man 3 readdir) once, and get one entry 3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry) 4. loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition) We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite directory reads") to fix it, record the last_index when we open dir, and do not emit the entry which index >= last_index. The file->private_data now used in offset dir can use directly to do this, and we also update the last_index when we llseek the dir file. [brauner: only update last_index after seek when offset is zero like Jan suggested]
AI-Powered Analysis
Technical Analysis
CVE-2024-46701 is a vulnerability identified in the Linux kernel's handling of directory reads within the tmpfs filesystem, specifically related to the libfs component managing directory operations. The issue arises after tmpfs directory operations were switched from simple_dir_operations to simple_offset_dir_operations. During rename operations, new directory entries (dentries) are inserted into the destination directory's maple tree structure with keys starting from a new offset value. This offset is then incremented improperly, which causes an infinite loop during directory reads (readdir) when combined with concurrent rename operations. The vulnerability manifests when a process repeatedly reads directory entries and renames files back and forth, causing readdir to loop indefinitely without returning an end-of-directory indication. This behavior was observed in the xfstests generic/736 test case, which simulates creating thousands of files, performing readdir calls, and renaming files repeatedly until the readdir call fails or loops excessively. The root cause is that the directory reading logic does not properly track the last read index, causing it to emit entries repeatedly. The fix implemented mirrors a previous patch for btrfs that records the last_index when opening a directory and prevents emitting entries with indices greater than or equal to this last_index. The file's private_data structure is used to track this last_index, which is updated upon seeking the directory file, but only when the offset is reset to zero. This correction prevents infinite loops by ensuring directory reads terminate correctly after the last entry is read. No known exploits are reported in the wild, and the vulnerability affects Linux kernel versions identified by the commit hash a2e459555c5f9da3e619b7e47a63f98574dc75f1. No CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability could lead to denial of service (DoS) conditions on systems using tmpfs, a common in-memory filesystem used for temporary storage. The infinite loop in directory reads can cause processes that rely on reading directory contents to hang or consume excessive CPU resources, potentially degrading system performance or causing application failures. This is particularly critical for servers and infrastructure relying on tmpfs for caching, temporary file storage, or runtime data, including cloud environments, container platforms, and embedded Linux devices. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting DoS could disrupt critical services, impacting availability and operational continuity. Systems heavily utilizing tmpfs for high-frequency file operations or automated scripts performing rename and directory read cycles are at higher risk. The absence of known exploits reduces immediate threat, but the vulnerability's presence in the Linux kernel means that unpatched systems remain vulnerable to potential future exploitation or accidental triggering by benign workloads.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the patch fixing CVE-2024-46701. Since the vulnerability relates to tmpfs directory operations, kernel updates from trusted Linux distributions should be applied promptly. For environments where immediate patching is not feasible, administrators should monitor and limit workloads that perform intensive rename and readdir operations on tmpfs directories, especially scripts or applications that create and rename large numbers of files rapidly. Implementing resource limits (e.g., CPU and I/O throttling) on processes interacting heavily with tmpfs can reduce the risk of system resource exhaustion. Additionally, monitoring system logs and performance metrics for unusual CPU spikes or hangs related to directory operations can help detect attempts to trigger this vulnerability. Containerized environments should ensure base images use updated kernels and avoid tmpfs misuse in application logic. Finally, security teams should maintain awareness of kernel updates and advisories from Linux vendors and test patches in staging environments before production deployment to avoid regressions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.251Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe1006
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 12:26:31 AM
Last updated: 7/28/2025, 11:05:43 PM
Views: 8
Related Threats
CVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumCVE-2025-51965: n/a
UnknownCVE-2025-8976: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-8980: Insufficient Verification of Data Authenticity in Tenda G1
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.