CVE-2024-46786: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.
AI Analysis
Technical Summary
CVE-2024-46786 is a use-after-free (UAF) vulnerability in the Linux kernel's fscache subsystem. The issue arises because the fscache_cookie_lru_timer, a timer initialized when the fscache module is inserted, is not properly deleted when the module is removed. Specifically, if the function timer_reduce() is called before the fscache module is removed, the timer is added to the timer list of the current CPU. Subsequently, after the module removal, the timer callback can still be invoked, leading to a use-after-free condition in a softIRQ context. This results in a kernel oops and a page fault due to accessing freed memory, which manifests as a supervisor read access fault in kernel mode. The vulnerability can cause system instability or crashes, as demonstrated by the kernel panic logs included in the description. The root cause is improper cleanup of kernel timers during module unload, which violates kernel memory safety principles. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to systems using the fscache module, which is commonly used to cache network filesystem data to improve performance. No known exploits are reported in the wild yet, and no CVSS score has been assigned. However, the vulnerability is serious due to its potential to cause denial of service via kernel crashes and possibly enable privilege escalation if exploited further.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux servers and systems that utilize the fscache module, often found in environments using network filesystems such as NFS or CIFS. The impact includes potential denial of service through kernel crashes, which can disrupt critical services, especially in data centers, cloud infrastructure, and enterprise environments relying on Linux-based storage caching. While direct remote exploitation is unlikely without additional vectors, local attackers or malicious insiders could trigger the vulnerability by unloading the fscache module improperly or manipulating timer_reduce() calls. This could lead to system instability, impacting availability of services and potentially causing downtime. Given the widespread use of Linux in European government, financial, and industrial sectors, unpatched systems could face operational disruptions. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to escalate privileges or bypass security controls if combined with other exploits. The lack of a known exploit reduces immediate risk but does not eliminate the threat, especially in high-security environments where kernel integrity is critical.
Mitigation Recommendations
Organizations should promptly apply kernel updates or patches provided by their Linux distribution vendors that address this vulnerability by ensuring proper deletion of the fscache_cookie_lru_timer during module removal. Until patches are available, administrators should avoid unloading the fscache module on production systems or ensure that timer_reduce() is not called before module removal to prevent triggering the use-after-free condition. Monitoring kernel logs for oops or page faults related to timers and the fscache module can help detect attempts to exploit this issue. Additionally, restricting local user permissions to prevent unauthorized module unloading and limiting access to systems where fscache is used can reduce risk. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) during testing can help identify similar issues proactively. Finally, organizations should maintain robust incident response plans to quickly address any kernel crashes or suspicious activity related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-46786: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.
AI-Powered Analysis
Technical Analysis
CVE-2024-46786 is a use-after-free (UAF) vulnerability in the Linux kernel's fscache subsystem. The issue arises because the fscache_cookie_lru_timer, a timer initialized when the fscache module is inserted, is not properly deleted when the module is removed. Specifically, if the function timer_reduce() is called before the fscache module is removed, the timer is added to the timer list of the current CPU. Subsequently, after the module removal, the timer callback can still be invoked, leading to a use-after-free condition in a softIRQ context. This results in a kernel oops and a page fault due to accessing freed memory, which manifests as a supervisor read access fault in kernel mode. The vulnerability can cause system instability or crashes, as demonstrated by the kernel panic logs included in the description. The root cause is improper cleanup of kernel timers during module unload, which violates kernel memory safety principles. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to systems using the fscache module, which is commonly used to cache network filesystem data to improve performance. No known exploits are reported in the wild yet, and no CVSS score has been assigned. However, the vulnerability is serious due to its potential to cause denial of service via kernel crashes and possibly enable privilege escalation if exploited further.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux servers and systems that utilize the fscache module, often found in environments using network filesystems such as NFS or CIFS. The impact includes potential denial of service through kernel crashes, which can disrupt critical services, especially in data centers, cloud infrastructure, and enterprise environments relying on Linux-based storage caching. While direct remote exploitation is unlikely without additional vectors, local attackers or malicious insiders could trigger the vulnerability by unloading the fscache module improperly or manipulating timer_reduce() calls. This could lead to system instability, impacting availability of services and potentially causing downtime. Given the widespread use of Linux in European government, financial, and industrial sectors, unpatched systems could face operational disruptions. Additionally, the vulnerability could be leveraged as part of a multi-stage attack to escalate privileges or bypass security controls if combined with other exploits. The lack of a known exploit reduces immediate risk but does not eliminate the threat, especially in high-security environments where kernel integrity is critical.
Mitigation Recommendations
Organizations should promptly apply kernel updates or patches provided by their Linux distribution vendors that address this vulnerability by ensuring proper deletion of the fscache_cookie_lru_timer during module removal. Until patches are available, administrators should avoid unloading the fscache module on production systems or ensure that timer_reduce() is not called before module removal to prevent triggering the use-after-free condition. Monitoring kernel logs for oops or page faults related to timers and the fscache module can help detect attempts to exploit this issue. Additionally, restricting local user permissions to prevent unauthorized module unloading and limiting access to systems where fscache is used can reduce risk. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) during testing can help identify similar issues proactively. Finally, organizations should maintain robust incident response plans to quickly address any kernel crashes or suspicious activity related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.277Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe12e6
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 1:42:06 AM
Last updated: 8/14/2025, 10:44:33 AM
Views: 17
Related Threats
CVE-2025-9000: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8993: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8992: Cross-Site Request Forgery in mtons mblog
MediumCVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.