CVE-2024-46796: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-46796 is a vulnerability identified in the Linux kernel's SMB (Server Message Block) client implementation, specifically within the CIFS (Common Internet File System) module. The flaw arises from improper handling of reference counting for the @cfile object in the smb2_set_path_size() function. When smb2_compound_op() is invoked with a valid @cfile and returns an -EINVAL error, the code fails to properly reacquire a writable path reference before retrying, leading to a double put (double release) of the @cfile reference. This results in a use-after-free condition, as the reference to the @cfile is dropped prematurely. The vulnerability was detected through Kernel Address Sanitizer (KASAN) testing, which revealed a slab-use-after-free bug during filesystem tests against Windows Server 2022 shares. The bug manifests as a memory corruption issue in detach_if_pending(), triggered by asynchronous CIFS oplock break handling and deferred file closure workqueue processing. The stack traces indicate that the flaw can cause kernel memory corruption, potentially leading to system instability or crashes. Although no public exploits are currently known, the vulnerability affects Linux kernel versions prior to the patch and impacts systems using CIFS/SMB client functionality to mount or interact with Windows SMB shares. The root cause is a logic error in reference management during SMB2 compound operations, which can be triggered by specific filesystem operations such as file truncation or attribute changes over SMB mounts. This vulnerability is particularly relevant for environments where Linux clients access Windows Server SMB shares, a common scenario in mixed OS enterprise networks.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux systems that mount SMB shares from Windows servers or other SMB-capable devices. Exploitation could lead to kernel memory corruption, causing system crashes (denial of service) or potentially enabling privilege escalation or arbitrary code execution within the kernel context if combined with other vulnerabilities. This could disrupt critical file sharing services, impacting business operations reliant on cross-platform file access. Organizations in sectors with heavy use of Linux clients accessing Windows file servers—such as finance, manufacturing, and public administration—may face operational disruptions. Additionally, the vulnerability could be leveraged in targeted attacks against Linux endpoints in corporate networks, especially where SMB shares are extensively used for collaboration and data exchange. The lack of known exploits reduces immediate risk, but the potential severity of kernel-level memory corruption warrants prompt attention. The vulnerability also increases the attack surface for advanced persistent threat actors aiming to compromise Linux hosts in European enterprises.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2024-46796 as soon as it becomes available. Until patched, administrators should consider the following specific mitigations: 1) Limit or restrict the use of CIFS/SMB mounts on Linux clients, especially those connecting to Windows Server 2022 or similar SMB shares, to reduce exposure. 2) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 3) Monitor kernel logs for KASAN or slab-use-after-free warnings related to CIFS operations, which could indicate attempted exploitation or instability. 4) Implement strict access controls and network segmentation to isolate Linux clients that require SMB access, minimizing lateral movement risk. 5) Use alternative secure file sharing protocols where feasible, such as NFS or SFTP, to reduce reliance on SMB client mounts. 6) Conduct thorough testing of SMB client functionality post-patch deployment to ensure stability and compatibility. These measures, combined with timely patching, will mitigate the risk posed by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-46796: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-46796 is a vulnerability identified in the Linux kernel's SMB (Server Message Block) client implementation, specifically within the CIFS (Common Internet File System) module. The flaw arises from improper handling of reference counting for the @cfile object in the smb2_set_path_size() function. When smb2_compound_op() is invoked with a valid @cfile and returns an -EINVAL error, the code fails to properly reacquire a writable path reference before retrying, leading to a double put (double release) of the @cfile reference. This results in a use-after-free condition, as the reference to the @cfile is dropped prematurely. The vulnerability was detected through Kernel Address Sanitizer (KASAN) testing, which revealed a slab-use-after-free bug during filesystem tests against Windows Server 2022 shares. The bug manifests as a memory corruption issue in detach_if_pending(), triggered by asynchronous CIFS oplock break handling and deferred file closure workqueue processing. The stack traces indicate that the flaw can cause kernel memory corruption, potentially leading to system instability or crashes. Although no public exploits are currently known, the vulnerability affects Linux kernel versions prior to the patch and impacts systems using CIFS/SMB client functionality to mount or interact with Windows SMB shares. The root cause is a logic error in reference management during SMB2 compound operations, which can be triggered by specific filesystem operations such as file truncation or attribute changes over SMB mounts. This vulnerability is particularly relevant for environments where Linux clients access Windows Server SMB shares, a common scenario in mixed OS enterprise networks.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to Linux systems that mount SMB shares from Windows servers or other SMB-capable devices. Exploitation could lead to kernel memory corruption, causing system crashes (denial of service) or potentially enabling privilege escalation or arbitrary code execution within the kernel context if combined with other vulnerabilities. This could disrupt critical file sharing services, impacting business operations reliant on cross-platform file access. Organizations in sectors with heavy use of Linux clients accessing Windows file servers—such as finance, manufacturing, and public administration—may face operational disruptions. Additionally, the vulnerability could be leveraged in targeted attacks against Linux endpoints in corporate networks, especially where SMB shares are extensively used for collaboration and data exchange. The lack of known exploits reduces immediate risk, but the potential severity of kernel-level memory corruption warrants prompt attention. The vulnerability also increases the attack surface for advanced persistent threat actors aiming to compromise Linux hosts in European enterprises.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch fixing CVE-2024-46796 as soon as it becomes available. Until patched, administrators should consider the following specific mitigations: 1) Limit or restrict the use of CIFS/SMB mounts on Linux clients, especially those connecting to Windows Server 2022 or similar SMB shares, to reduce exposure. 2) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 3) Monitor kernel logs for KASAN or slab-use-after-free warnings related to CIFS operations, which could indicate attempted exploitation or instability. 4) Implement strict access controls and network segmentation to isolate Linux clients that require SMB access, minimizing lateral movement risk. 5) Use alternative secure file sharing protocols where feasible, such as NFS or SFTP, to reduce reliance on SMB client mounts. 6) Conduct thorough testing of SMB client functionality post-patch deployment to ensure stability and compatibility. These measures, combined with timely patching, will mitigate the risk posed by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.279Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1330
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 1:56:01 AM
Last updated: 8/10/2025, 2:47:14 PM
Views: 13
Related Threats
CVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.