CVE-2024-47701: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem.
AI Analysis
Technical Summary
CVE-2024-47701 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation. The flaw arises when the extended attributes (xattr) data associated with a file or directory changes underneath the filesystem during an operation that looks up an entry in an inlined directory. Specifically, if the e_value_offs offset is modified by changes in the underlying block device, it can cause an out-of-bounds (OOB) memory access. This is detected by the Kernel Address Sanitizer (KASAN) as a use-after-free (UAF) error in the ext4_search_dir function. The vulnerability occurs because the ext4 filesystem does not properly validate the consistency of xattr data after it has been read, leading to potential memory corruption. The issue is triggered when the filesystem is mounted without a journal and quota mode is disabled, as indicated in the example scenario. The kernel call trace shows the fault occurs during directory entry lookup and symlink creation operations, which rely on ext4's inline directory and xattr handling. The vulnerability can lead to kernel crashes or potentially arbitrary code execution if exploited, due to the memory corruption caused by the UAF. The fix involves adding a validity check for xattrs immediately after reading the inode, preventing the use of stale or corrupted xattr data. This vulnerability affects Linux kernel versions prior to the patch that addresses this issue, specifically those around the 6.11.0-rc4 release candidate referenced in the report. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-47701 can be significant, especially for those relying heavily on Linux-based infrastructure using the ext4 filesystem. The ext4 filesystem is widely deployed across servers, cloud environments, and embedded systems in Europe. Exploitation of this vulnerability could lead to kernel crashes causing denial of service (DoS), which can disrupt critical services and business operations. More critically, the use-after-free condition could be leveraged by a skilled attacker to execute arbitrary code with kernel privileges, potentially leading to full system compromise. This poses risks to confidentiality, integrity, and availability of data and services. Organizations running containerized workloads, virtual machines, or cloud services on Linux hosts are particularly at risk, as attackers could escape container boundaries or escalate privileges. The lack of authentication or user interaction requirements for triggering the vulnerability increases the attack surface. Given Europe's strong regulatory environment around data protection (e.g., GDPR), a successful attack exploiting this vulnerability could also result in compliance violations and reputational damage. The absence of known exploits currently provides a window for proactive mitigation, but the vulnerability's nature demands urgent attention.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to the latest stable versions that include the fix for CVE-2024-47701. Since the vulnerability is related to ext4 filesystem handling, kernel updates from trusted Linux distributions (Debian, Ubuntu, Red Hat, SUSE, etc.) should be applied promptly. For systems where immediate patching is not feasible, organizations should consider the following mitigations: 1) Avoid mounting ext4 filesystems without journaling enabled, as the vulnerability is demonstrated in non-journaled mounts; enabling journaling can reduce risk. 2) Implement strict access controls and monitoring on systems with ext4 filesystems to detect unusual filesystem activity or kernel errors indicative of exploitation attempts. 3) Use kernel hardening features such as KASAN, Kernel Page Table Isolation (KPTI), and SELinux/AppArmor policies to limit the impact of potential exploits. 4) Restrict untrusted users' ability to create or modify extended attributes or symlinks on ext4 filesystems. 5) Employ runtime integrity monitoring and kernel crash analysis tools to quickly identify exploitation attempts. 6) In virtualized or containerized environments, isolate workloads and limit privileges to reduce the blast radius of a potential kernel compromise. 7) Maintain up-to-date backups and incident response plans to recover quickly from any successful attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-47701: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem.
AI-Powered Analysis
Technical Analysis
CVE-2024-47701 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation. The flaw arises when the extended attributes (xattr) data associated with a file or directory changes underneath the filesystem during an operation that looks up an entry in an inlined directory. Specifically, if the e_value_offs offset is modified by changes in the underlying block device, it can cause an out-of-bounds (OOB) memory access. This is detected by the Kernel Address Sanitizer (KASAN) as a use-after-free (UAF) error in the ext4_search_dir function. The vulnerability occurs because the ext4 filesystem does not properly validate the consistency of xattr data after it has been read, leading to potential memory corruption. The issue is triggered when the filesystem is mounted without a journal and quota mode is disabled, as indicated in the example scenario. The kernel call trace shows the fault occurs during directory entry lookup and symlink creation operations, which rely on ext4's inline directory and xattr handling. The vulnerability can lead to kernel crashes or potentially arbitrary code execution if exploited, due to the memory corruption caused by the UAF. The fix involves adding a validity check for xattrs immediately after reading the inode, preventing the use of stale or corrupted xattr data. This vulnerability affects Linux kernel versions prior to the patch that addresses this issue, specifically those around the 6.11.0-rc4 release candidate referenced in the report. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-47701 can be significant, especially for those relying heavily on Linux-based infrastructure using the ext4 filesystem. The ext4 filesystem is widely deployed across servers, cloud environments, and embedded systems in Europe. Exploitation of this vulnerability could lead to kernel crashes causing denial of service (DoS), which can disrupt critical services and business operations. More critically, the use-after-free condition could be leveraged by a skilled attacker to execute arbitrary code with kernel privileges, potentially leading to full system compromise. This poses risks to confidentiality, integrity, and availability of data and services. Organizations running containerized workloads, virtual machines, or cloud services on Linux hosts are particularly at risk, as attackers could escape container boundaries or escalate privileges. The lack of authentication or user interaction requirements for triggering the vulnerability increases the attack surface. Given Europe's strong regulatory environment around data protection (e.g., GDPR), a successful attack exploiting this vulnerability could also result in compliance violations and reputational damage. The absence of known exploits currently provides a window for proactive mitigation, but the vulnerability's nature demands urgent attention.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to the latest stable versions that include the fix for CVE-2024-47701. Since the vulnerability is related to ext4 filesystem handling, kernel updates from trusted Linux distributions (Debian, Ubuntu, Red Hat, SUSE, etc.) should be applied promptly. For systems where immediate patching is not feasible, organizations should consider the following mitigations: 1) Avoid mounting ext4 filesystems without journaling enabled, as the vulnerability is demonstrated in non-journaled mounts; enabling journaling can reduce risk. 2) Implement strict access controls and monitoring on systems with ext4 filesystems to detect unusual filesystem activity or kernel errors indicative of exploitation attempts. 3) Use kernel hardening features such as KASAN, Kernel Page Table Isolation (KPTI), and SELinux/AppArmor policies to limit the impact of potential exploits. 4) Restrict untrusted users' ability to create or modify extended attributes or symlinks on ext4 filesystems. 5) Employ runtime integrity monitoring and kernel crash analysis tools to quickly identify exploitation attempts. 6) In virtualized or containerized environments, isolate workloads and limit privileges to reduce the blast radius of a potential kernel compromise. 7) Maintain up-to-date backups and incident response plans to recover quickly from any successful attacks.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.945Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe054e
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:41:55 PM
Last updated: 8/15/2025, 9:49:45 AM
Views: 14
Related Threats
CVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumCVE-2025-9027: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-9026: OS Command Injection in D-Link DIR-860L
MediumCVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.