CVE-2024-49863: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vhost_scsi_get_req+0x165/0x3a0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00 RSP: 0018:ffff888017affb50 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8 RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000 FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0 Call Trace: <TASK> ? show_regs+0x86/0xa0 ? die_addr+0x4b/0xd0 ? exc_general_protection+0x163/0x260 ? asm_exc_general_protection+0x27/0x30 ? vhost_scsi_get_req+0x165/0x3a0 vhost_scsi_ctl_handle_vq+0x2a4/0xca0 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10 ? __switch_to+0x721/0xeb0 ? __schedule+0xda5/0x5710 ? __kasan_check_write+0x14/0x30 ? _raw_spin_lock+0x82/0xf0 vhost_scsi_ctl_handle_kick+0x52/0x90 vhost_run_work_list+0x134/0x1b0 vhost_task_fn+0x121/0x350 ... </TASK> ---[ end trace 0000000000000000 ]--- Let's add a check in vhost_scsi_get_req. [whitespace fixes]
AI Analysis
Technical Summary
CVE-2024-49863 is a vulnerability in the Linux kernel's vhost-scsi subsystem, specifically a null pointer dereference bug in the function vhost_scsi_get_req(). The issue arises from improper handling of certain SCSI AN (Asynchronous Notification) requests sent by a guest in a virtualized environment using vhost-scsi. In the vulnerable code, the pointer vc.target is assigned based on the request type. For VIRTIO_SCSI_T_AN_* requests, vc.target is explicitly set to NULL because the target portal group (tpg) is not required. However, vhost_scsi_get_req() later dereferences vc.target without checking if it is NULL, leading to a null pointer dereference. This causes the vhost_worker process to crash while holding a mutex (vq->mutex), resulting in a general protection fault and the indefinite occupation of the corresponding target portal group (tpg). The bug can be triggered remotely by a guest VM sending a crafted SCSI AN request, making it a denial-of-service (DoS) vector against the host's vhost-scsi service. The vulnerability was introduced since commit 3f8ca2e115e5 and affects Linux kernel versions including 6.10.0+ as indicated by the KASAN report. The root cause is a missing null check in vhost_scsi_get_req(), which has been addressed by adding the necessary validation. This vulnerability does not require user interaction beyond the guest VM sending the malicious request, but it does require the attacker to have guest VM access to the host's vhost-scsi interface. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux hosts with vhost-scsi enabled for virtualization, such as cloud providers, data centers, and enterprises using KVM/QEMU virtualization with SCSI passthrough or emulation. Exploitation can cause denial of service by crashing the vhost_worker process, potentially leading to degraded performance or unavailability of virtualized storage services. This can disrupt critical workloads relying on virtual machines, impacting business continuity. Since the bug causes indefinite occupation of target portal groups, it may also lead to resource exhaustion and complicate recovery without host intervention. Confidentiality and integrity impacts are limited as the vulnerability does not allow code execution or privilege escalation directly, but availability impact is significant. European organizations with high virtualization density or those providing Infrastructure as a Service (IaaS) are particularly at risk. Additionally, organizations relying on Linux kernel versions affected by this bug without timely patching may face operational disruptions. The lack of known exploits reduces immediate risk, but the ease of triggering the bug from guest VMs means that malicious insiders or compromised guests could leverage this vulnerability.
Mitigation Recommendations
To mitigate CVE-2024-49863, organizations should: 1) Apply the official Linux kernel patches that add the necessary null pointer checks in vhost_scsi_get_req() as soon as they become available from trusted Linux distributions or kernel maintainers. 2) For environments where patching is delayed, consider disabling vhost-scsi or restricting guest VM capabilities to prevent sending crafted SCSI AN requests. 3) Implement strict isolation and monitoring of guest VMs to detect anomalous SCSI traffic patterns that could indicate exploitation attempts. 4) Use kernel live patching solutions if available to minimize downtime while applying fixes. 5) Regularly audit virtualization host configurations to ensure vhost-scsi is only enabled where necessary and that guest VM privileges are minimized. 6) Monitor system logs and kernel crash reports for signs of vhost_worker process crashes or mutex lockups indicative of exploitation. 7) Engage with Linux vendor security advisories and update virtualization infrastructure promptly. These steps go beyond generic advice by focusing on virtualization-specific controls and operational monitoring tailored to the vhost-scsi subsystem.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2024-49863: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vhost_scsi_get_req+0x165/0x3a0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00 RSP: 0018:ffff888017affb50 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8 RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000 FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0 Call Trace: <TASK> ? show_regs+0x86/0xa0 ? die_addr+0x4b/0xd0 ? exc_general_protection+0x163/0x260 ? asm_exc_general_protection+0x27/0x30 ? vhost_scsi_get_req+0x165/0x3a0 vhost_scsi_ctl_handle_vq+0x2a4/0xca0 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10 ? __switch_to+0x721/0xeb0 ? __schedule+0xda5/0x5710 ? __kasan_check_write+0x14/0x30 ? _raw_spin_lock+0x82/0xf0 vhost_scsi_ctl_handle_kick+0x52/0x90 vhost_run_work_list+0x134/0x1b0 vhost_task_fn+0x121/0x350 ... </TASK> ---[ end trace 0000000000000000 ]--- Let's add a check in vhost_scsi_get_req. [whitespace fixes]
AI-Powered Analysis
Technical Analysis
CVE-2024-49863 is a vulnerability in the Linux kernel's vhost-scsi subsystem, specifically a null pointer dereference bug in the function vhost_scsi_get_req(). The issue arises from improper handling of certain SCSI AN (Asynchronous Notification) requests sent by a guest in a virtualized environment using vhost-scsi. In the vulnerable code, the pointer vc.target is assigned based on the request type. For VIRTIO_SCSI_T_AN_* requests, vc.target is explicitly set to NULL because the target portal group (tpg) is not required. However, vhost_scsi_get_req() later dereferences vc.target without checking if it is NULL, leading to a null pointer dereference. This causes the vhost_worker process to crash while holding a mutex (vq->mutex), resulting in a general protection fault and the indefinite occupation of the corresponding target portal group (tpg). The bug can be triggered remotely by a guest VM sending a crafted SCSI AN request, making it a denial-of-service (DoS) vector against the host's vhost-scsi service. The vulnerability was introduced since commit 3f8ca2e115e5 and affects Linux kernel versions including 6.10.0+ as indicated by the KASAN report. The root cause is a missing null check in vhost_scsi_get_req(), which has been addressed by adding the necessary validation. This vulnerability does not require user interaction beyond the guest VM sending the malicious request, but it does require the attacker to have guest VM access to the host's vhost-scsi interface. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux hosts with vhost-scsi enabled for virtualization, such as cloud providers, data centers, and enterprises using KVM/QEMU virtualization with SCSI passthrough or emulation. Exploitation can cause denial of service by crashing the vhost_worker process, potentially leading to degraded performance or unavailability of virtualized storage services. This can disrupt critical workloads relying on virtual machines, impacting business continuity. Since the bug causes indefinite occupation of target portal groups, it may also lead to resource exhaustion and complicate recovery without host intervention. Confidentiality and integrity impacts are limited as the vulnerability does not allow code execution or privilege escalation directly, but availability impact is significant. European organizations with high virtualization density or those providing Infrastructure as a Service (IaaS) are particularly at risk. Additionally, organizations relying on Linux kernel versions affected by this bug without timely patching may face operational disruptions. The lack of known exploits reduces immediate risk, but the ease of triggering the bug from guest VMs means that malicious insiders or compromised guests could leverage this vulnerability.
Mitigation Recommendations
To mitigate CVE-2024-49863, organizations should: 1) Apply the official Linux kernel patches that add the necessary null pointer checks in vhost_scsi_get_req() as soon as they become available from trusted Linux distributions or kernel maintainers. 2) For environments where patching is delayed, consider disabling vhost-scsi or restricting guest VM capabilities to prevent sending crafted SCSI AN requests. 3) Implement strict isolation and monitoring of guest VMs to detect anomalous SCSI traffic patterns that could indicate exploitation attempts. 4) Use kernel live patching solutions if available to minimize downtime while applying fixes. 5) Regularly audit virtualization host configurations to ensure vhost-scsi is only enabled where necessary and that guest VM privileges are minimized. 6) Monitor system logs and kernel crash reports for signs of vhost_worker process crashes or mutex lockups indicative of exploitation. 7) Engage with Linux vendor security advisories and update virtualization infrastructure promptly. These steps go beyond generic advice by focusing on virtualization-specific controls and operational monitoring tailored to the vhost-scsi subsystem.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.017Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe07de
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 8:54:56 PM
Last updated: 7/31/2025, 6:50:06 PM
Views: 13
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.