CVE-2024-47706: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible UAF for bfqq->bic with merge chain 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 </TASK> Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ---truncated---
AI Analysis
Technical Summary
CVE-2024-47706 is a use-after-free (UAF) vulnerability in the Linux kernel's block I/O scheduler, specifically within the Budget Fair Queueing (BFQ) I/O scheduler implementation. The vulnerability arises due to improper handling of bfqq (BFQ queue) structures during merge operations between different BFQ I/O contexts (BICs). In the described scenario, multiple processes have their own BICs and associated bfqqs. When bfqqs are merged across these BICs, the kernel code incorrectly assigns ownership of bfqq structures, leading to a stale pointer reference. Specifically, after merging bfqq2 into bfqq3, the code mistakenly retains bfqq2's bic pointer as BIC1 (its initial owner) instead of updating it to reflect the new owner, BIC3. This results in a use-after-free condition when the kernel attempts to access or modify bfqq2, which may have already been freed or reallocated. The bug was detected by the Kernel Address Sanitizer (KASAN) during testing, showing slab-use-after-free errors in functions related to BFQ merge operations and queue handling. The root cause is a failure to check if a bfqq is part of a merge chain before assigning its bic pointer, leading to incorrect reference counting and premature freeing of memory. This vulnerability affects the Linux kernel version 6.6.0-07439-gba2303cacfda and potentially other versions with the same BFQ implementation. Exploitation would require triggering specific I/O patterns that cause bfqq merges across processes, which is complex but possible in multi-tenant or containerized environments. No known exploits are reported in the wild yet. The vulnerability could lead to kernel crashes, memory corruption, or privilege escalation if exploited, as use-after-free bugs in kernel space can be leveraged to execute arbitrary code or cause denial of service. The patch involves adding proper checks to verify if a bfqq is from a merge chain before assigning its bic pointer, preventing stale references and ensuring correct reference counting and memory management.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any systems running vulnerable Linux kernel versions with the BFQ I/O scheduler enabled. This includes servers, cloud infrastructure, and embedded devices widely used in industries such as finance, telecommunications, manufacturing, and government. Exploitation could lead to system instability, crashes, or potential privilege escalation, undermining confidentiality, integrity, and availability of critical services. Organizations relying on multi-tenant environments or container orchestration platforms are particularly at risk because the vulnerability involves interactions between processes and their I/O contexts. Disruption of critical infrastructure or data breaches could result from successful exploitation. Additionally, the complexity of the vulnerability and lack of public exploits may delay detection, increasing the window of exposure. The impact is heightened in sectors with stringent regulatory requirements for data protection and uptime, such as banking and healthcare, common across Europe. Furthermore, the vulnerability could be leveraged in targeted attacks against high-value assets, especially in countries with advanced digital infrastructure.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-47706 as soon as patches become available from their Linux distribution vendors. Until patches are applied, organizations should consider disabling the BFQ I/O scheduler if feasible, switching to alternative schedulers like CFQ or deadline to reduce exposure. Monitoring kernel logs for KASAN or other memory corruption alerts can help detect exploitation attempts. Implement strict access controls and isolate critical workloads to minimize the risk of cross-process exploitation. Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI) and enable kernel lockdown features where supported. For containerized environments, enforce strict resource and namespace isolation to prevent malicious processes from triggering the vulnerability. Regularly audit and update all Linux-based systems, especially those exposed to untrusted users or network traffic. Collaborate with Linux distribution maintainers to receive timely security updates and verify patch deployment. Finally, conduct penetration testing and fuzzing focused on I/O scheduler behavior to proactively identify similar issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-47706: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible UAF for bfqq->bic with merge chain 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 </TASK> Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-47706 is a use-after-free (UAF) vulnerability in the Linux kernel's block I/O scheduler, specifically within the Budget Fair Queueing (BFQ) I/O scheduler implementation. The vulnerability arises due to improper handling of bfqq (BFQ queue) structures during merge operations between different BFQ I/O contexts (BICs). In the described scenario, multiple processes have their own BICs and associated bfqqs. When bfqqs are merged across these BICs, the kernel code incorrectly assigns ownership of bfqq structures, leading to a stale pointer reference. Specifically, after merging bfqq2 into bfqq3, the code mistakenly retains bfqq2's bic pointer as BIC1 (its initial owner) instead of updating it to reflect the new owner, BIC3. This results in a use-after-free condition when the kernel attempts to access or modify bfqq2, which may have already been freed or reallocated. The bug was detected by the Kernel Address Sanitizer (KASAN) during testing, showing slab-use-after-free errors in functions related to BFQ merge operations and queue handling. The root cause is a failure to check if a bfqq is part of a merge chain before assigning its bic pointer, leading to incorrect reference counting and premature freeing of memory. This vulnerability affects the Linux kernel version 6.6.0-07439-gba2303cacfda and potentially other versions with the same BFQ implementation. Exploitation would require triggering specific I/O patterns that cause bfqq merges across processes, which is complex but possible in multi-tenant or containerized environments. No known exploits are reported in the wild yet. The vulnerability could lead to kernel crashes, memory corruption, or privilege escalation if exploited, as use-after-free bugs in kernel space can be leveraged to execute arbitrary code or cause denial of service. The patch involves adding proper checks to verify if a bfqq is from a merge chain before assigning its bic pointer, preventing stale references and ensuring correct reference counting and memory management.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any systems running vulnerable Linux kernel versions with the BFQ I/O scheduler enabled. This includes servers, cloud infrastructure, and embedded devices widely used in industries such as finance, telecommunications, manufacturing, and government. Exploitation could lead to system instability, crashes, or potential privilege escalation, undermining confidentiality, integrity, and availability of critical services. Organizations relying on multi-tenant environments or container orchestration platforms are particularly at risk because the vulnerability involves interactions between processes and their I/O contexts. Disruption of critical infrastructure or data breaches could result from successful exploitation. Additionally, the complexity of the vulnerability and lack of public exploits may delay detection, increasing the window of exposure. The impact is heightened in sectors with stringent regulatory requirements for data protection and uptime, such as banking and healthcare, common across Europe. Furthermore, the vulnerability could be leveraged in targeted attacks against high-value assets, especially in countries with advanced digital infrastructure.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-47706 as soon as patches become available from their Linux distribution vendors. Until patches are applied, organizations should consider disabling the BFQ I/O scheduler if feasible, switching to alternative schedulers like CFQ or deadline to reduce exposure. Monitoring kernel logs for KASAN or other memory corruption alerts can help detect exploitation attempts. Implement strict access controls and isolate critical workloads to minimize the risk of cross-process exploitation. Employ kernel hardening techniques such as Kernel Page Table Isolation (KPTI) and enable kernel lockdown features where supported. For containerized environments, enforce strict resource and namespace isolation to prevent malicious processes from triggering the vulnerability. Regularly audit and update all Linux-based systems, especially those exposed to untrusted users or network traffic. Collaborate with Linux distribution maintainers to receive timely security updates and verify patch deployment. Finally, conduct penetration testing and fuzzing focused on I/O scheduler behavior to proactively identify similar issues.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.946Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0570
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:54:46 PM
Last updated: 7/26/2025, 7:05:37 AM
Views: 11
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.