CVE-2024-47691: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore.
AI Analysis
Technical Summary
CVE-2024-47691 is a use-after-free vulnerability in the Linux kernel's F2FS (Flash-Friendly File System) implementation, specifically within the f2fs_stop_gc_thread() function. The flaw arises from a race condition involving the garbage collection thread pointer (sbi->gc_th). The vulnerability occurs when the filesystem is remounted or shut down, where two concurrent paths can invoke f2fs_do_shutdown(): one via f2fs_ioc_shutdown() and another via f2fs_shutdown(). The issue is that in the f2fs_ioc_shutdown() path, the necessary sb->s_umount semaphore is not held, leading to a race condition where the garbage collection thread pointer can be freed (kfree(gc_th)) and set to NULL while still being accessed. This results in a use-after-free condition, which can cause kernel crashes or potentially allow attackers to execute arbitrary code or escalate privileges by manipulating kernel memory. The vulnerability was identified by syzbot and fixed by ensuring the sb->s_umount semaphore is acquired during the f2fs_ioc_shutdown() path, preventing concurrent access and eliminating the race condition. The vulnerability affects Linux kernel versions containing the specified commit (7950e9ac638e84518fbdd5c930939ad46a1068c5) and is relevant to systems using the F2FS filesystem, commonly deployed on flash storage devices. No known exploits are reported in the wild as of the publication date (October 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux with F2FS filesystems, which are often used in embedded systems, mobile devices, and some server environments utilizing flash storage. Exploitation could lead to denial of service through kernel crashes or potentially privilege escalation if an attacker can trigger the use-after-free condition. This could compromise confidentiality, integrity, and availability of affected systems. Organizations relying on Linux-based infrastructure for critical services, especially those with flash storage using F2FS, could face operational disruptions or security breaches. Given the kernel-level nature of the vulnerability, successful exploitation could undermine system security controls and lead to broader network compromise. The lack of known exploits currently reduces immediate risk, but the vulnerability's presence in widely used Linux kernels means European entities should prioritize patching to mitigate future threats.
Mitigation Recommendations
European organizations should immediately identify Linux systems using the F2FS filesystem and verify kernel versions against the fixed commit. Applying the latest Linux kernel patches that address CVE-2024-47691 is critical. For systems where immediate patching is not feasible, organizations should limit access to affected systems, especially restricting untrusted users from performing remount or shutdown operations on F2FS filesystems. Monitoring kernel logs for unusual crashes or stack traces related to f2fs_stop_gc_thread can help detect exploitation attempts. Additionally, implementing strict access controls and employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) can reduce exploitation likelihood. Organizations should also review and update incident response plans to address potential kernel-level compromises. Finally, coordinating with Linux distribution vendors for timely updates and advisories is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-47691: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore.
AI-Powered Analysis
Technical Analysis
CVE-2024-47691 is a use-after-free vulnerability in the Linux kernel's F2FS (Flash-Friendly File System) implementation, specifically within the f2fs_stop_gc_thread() function. The flaw arises from a race condition involving the garbage collection thread pointer (sbi->gc_th). The vulnerability occurs when the filesystem is remounted or shut down, where two concurrent paths can invoke f2fs_do_shutdown(): one via f2fs_ioc_shutdown() and another via f2fs_shutdown(). The issue is that in the f2fs_ioc_shutdown() path, the necessary sb->s_umount semaphore is not held, leading to a race condition where the garbage collection thread pointer can be freed (kfree(gc_th)) and set to NULL while still being accessed. This results in a use-after-free condition, which can cause kernel crashes or potentially allow attackers to execute arbitrary code or escalate privileges by manipulating kernel memory. The vulnerability was identified by syzbot and fixed by ensuring the sb->s_umount semaphore is acquired during the f2fs_ioc_shutdown() path, preventing concurrent access and eliminating the race condition. The vulnerability affects Linux kernel versions containing the specified commit (7950e9ac638e84518fbdd5c930939ad46a1068c5) and is relevant to systems using the F2FS filesystem, commonly deployed on flash storage devices. No known exploits are reported in the wild as of the publication date (October 21, 2024).
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux with F2FS filesystems, which are often used in embedded systems, mobile devices, and some server environments utilizing flash storage. Exploitation could lead to denial of service through kernel crashes or potentially privilege escalation if an attacker can trigger the use-after-free condition. This could compromise confidentiality, integrity, and availability of affected systems. Organizations relying on Linux-based infrastructure for critical services, especially those with flash storage using F2FS, could face operational disruptions or security breaches. Given the kernel-level nature of the vulnerability, successful exploitation could undermine system security controls and lead to broader network compromise. The lack of known exploits currently reduces immediate risk, but the vulnerability's presence in widely used Linux kernels means European entities should prioritize patching to mitigate future threats.
Mitigation Recommendations
European organizations should immediately identify Linux systems using the F2FS filesystem and verify kernel versions against the fixed commit. Applying the latest Linux kernel patches that address CVE-2024-47691 is critical. For systems where immediate patching is not feasible, organizations should limit access to affected systems, especially restricting untrusted users from performing remount or shutdown operations on F2FS filesystems. Monitoring kernel logs for unusual crashes or stack traces related to f2fs_stop_gc_thread can help detect exploitation attempts. Additionally, implementing strict access controls and employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) can reduce exploitation likelihood. Organizations should also review and update incident response plans to address potential kernel-level compromises. Finally, coordinating with Linux distribution vendors for timely updates and advisories is recommended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.942Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe050d
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:40:05 PM
Last updated: 7/31/2025, 12:55:39 AM
Views: 9
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.