CVE-2024-47692: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.
AI Analysis
Technical Summary
CVE-2024-47692 is a vulnerability identified in the Linux kernel's NFS daemon (nfsd) component, specifically related to the handling of client reclaim operations in the NFSv4 protocol. The issue arises when the nfsdcld daemon encounters a corrupted main.sqlite database file located at /var/lib/nfs/nfsdcld/. This corruption can cause the variable namelen, which represents the length of a client name, to be zero. When namelen is zero, the kernel function memdup_user() returns a special pointer value ZERO_SIZE_PTR instead of a valid memory address. Subsequently, the code attempts to access name.data using this ZERO_SIZE_PTR in the function nfs4_client_to_reclaim(), leading to a null pointer dereference. This triggers a kernel crash detected by Kernel Address Sanitizer (KASAN), as evidenced by the detailed kernel stack trace provided. The root cause is the lack of validation for namelen being zero before dereferencing the pointer. The fix involves adding a check to return an error (-EINVAL) when namelen is zero, preventing the null pointer dereference. This vulnerability affects Linux kernel versions including 5.10.0 and potentially others that incorporate the vulnerable nfsd code. The vulnerability does not require user interaction but does require the presence of a corrupted nfsdcld database and the use of NFSv4 client reclaim functionality. No known exploits are currently reported in the wild. The vulnerability is a denial-of-service (DoS) type, as it causes a kernel crash, potentially leading to system instability or downtime on affected servers running NFS services.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers running Linux with NFSv4 services enabled, especially those using nfsdcld for client tracking. The impact is a potential denial-of-service condition caused by a kernel crash triggered by malformed or corrupted client state data. This could disrupt file sharing services critical to business operations, particularly in sectors relying heavily on NFS for storage and data access, such as telecommunications, finance, research institutions, and cloud service providers. The vulnerability could be exploited inadvertently by corrupted state files or potentially by an attacker with access to the NFS server or its client state files, leading to service outages. Given the kernel-level nature of the crash, recovery might require system reboots, causing downtime. Confidentiality and integrity are not directly impacted, but availability is significantly affected. Organizations with high availability requirements and those operating critical infrastructure could face operational disruptions and potential financial losses due to service interruptions.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for CVE-2024-47692 as soon as they become available. 2) Regularly monitor and verify the integrity of the /var/lib/nfs/nfsdcld/main.sqlite database to detect corruption early. Implement automated integrity checks and alerts. 3) Restrict access to the NFS server and its client state files to trusted administrators only, minimizing the risk of malicious corruption. 4) Implement robust backup and recovery procedures for NFS server state data to enable quick restoration in case of corruption. 5) Consider deploying kernel hardening and runtime protection tools such as KASAN or other memory safety mechanisms in testing environments to detect similar issues proactively. 6) Monitor system logs for signs of nfsdcld crashes or kernel panics related to NFS client reclaim operations to detect exploitation attempts or accidental triggers. 7) Where feasible, isolate critical NFS servers in segmented network zones to limit exposure. 8) Educate system administrators on the importance of maintaining healthy NFS client state databases and on procedures to safely recover from corruption.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-47692: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.
AI-Powered Analysis
Technical Analysis
CVE-2024-47692 is a vulnerability identified in the Linux kernel's NFS daemon (nfsd) component, specifically related to the handling of client reclaim operations in the NFSv4 protocol. The issue arises when the nfsdcld daemon encounters a corrupted main.sqlite database file located at /var/lib/nfs/nfsdcld/. This corruption can cause the variable namelen, which represents the length of a client name, to be zero. When namelen is zero, the kernel function memdup_user() returns a special pointer value ZERO_SIZE_PTR instead of a valid memory address. Subsequently, the code attempts to access name.data using this ZERO_SIZE_PTR in the function nfs4_client_to_reclaim(), leading to a null pointer dereference. This triggers a kernel crash detected by Kernel Address Sanitizer (KASAN), as evidenced by the detailed kernel stack trace provided. The root cause is the lack of validation for namelen being zero before dereferencing the pointer. The fix involves adding a check to return an error (-EINVAL) when namelen is zero, preventing the null pointer dereference. This vulnerability affects Linux kernel versions including 5.10.0 and potentially others that incorporate the vulnerable nfsd code. The vulnerability does not require user interaction but does require the presence of a corrupted nfsdcld database and the use of NFSv4 client reclaim functionality. No known exploits are currently reported in the wild. The vulnerability is a denial-of-service (DoS) type, as it causes a kernel crash, potentially leading to system instability or downtime on affected servers running NFS services.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers running Linux with NFSv4 services enabled, especially those using nfsdcld for client tracking. The impact is a potential denial-of-service condition caused by a kernel crash triggered by malformed or corrupted client state data. This could disrupt file sharing services critical to business operations, particularly in sectors relying heavily on NFS for storage and data access, such as telecommunications, finance, research institutions, and cloud service providers. The vulnerability could be exploited inadvertently by corrupted state files or potentially by an attacker with access to the NFS server or its client state files, leading to service outages. Given the kernel-level nature of the crash, recovery might require system reboots, causing downtime. Confidentiality and integrity are not directly impacted, but availability is significantly affected. Organizations with high availability requirements and those operating critical infrastructure could face operational disruptions and potential financial losses due to service interruptions.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that include the fix for CVE-2024-47692 as soon as they become available. 2) Regularly monitor and verify the integrity of the /var/lib/nfs/nfsdcld/main.sqlite database to detect corruption early. Implement automated integrity checks and alerts. 3) Restrict access to the NFS server and its client state files to trusted administrators only, minimizing the risk of malicious corruption. 4) Implement robust backup and recovery procedures for NFS server state data to enable quick restoration in case of corruption. 5) Consider deploying kernel hardening and runtime protection tools such as KASAN or other memory safety mechanisms in testing environments to detect similar issues proactively. 6) Monitor system logs for signs of nfsdcld crashes or kernel panics related to NFS client reclaim operations to detect exploitation attempts or accidental triggers. 7) Where feasible, isolate critical NFS servers in segmented network zones to limit exposure. 8) Educate system administrators on the importance of maintaining healthy NFS client state databases and on procedures to safely recover from corruption.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.942Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0511
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:40:19 PM
Last updated: 7/28/2025, 6:19:20 AM
Views: 12
Related Threats
CVE-2025-8923: SQL Injection in code-projects Job Diary
MediumCVE-2025-8922: SQL Injection in code-projects Job Diary
MediumCVE-2025-45313: n/a
HighCVE-2025-8921: SQL Injection in code-projects Job Diary
MediumCVE-2025-8920: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.