CVE-2024-49884: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.
AI Analysis
Technical Summary
CVE-2024-49884 is a use-after-free vulnerability identified and resolved in the Linux kernel's ext4 filesystem implementation, specifically within the ext4_split_extent_at() function. The vulnerability arises during the handling of extent splitting operations, where the kernel improperly manages memory paths related to extent trees. The flaw occurs when ext4_find_extent() is called to update the path structure, which may have already been freed under certain error conditions (-ENOMEM or -EIO). This leads to a use-after-free scenario where the kernel attempts to access or manipulate memory that has been deallocated, causing undefined behavior. The issue is triggered during write operations involving ext4_do_writepages(), which calls ext4_map_blocks() and subsequently ext4_ext_map_blocks(), eventually reaching ext4_split_extent_at(). The vulnerability is detected by Kernel Address Sanitizer (KASAN) as a slab-use-after-free error, indicating a read of freed memory. The root cause is improper handling of the extent path pointer after an error return from ext4_find_extent(), leading to dereferencing a stale pointer. The fix involves careful management of the path pointer, avoiding use-after-free by not using *ppath directly when EXT_DEBUG is defined and preventing unnecessary path updates. This vulnerability affects Linux kernel versions containing the specified commit hash dfe5080939ea4686b3414b5d970a9b26733c57a4, which corresponds to recent kernel versions around 6.9.0. The vulnerability does not currently have known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-49884 can be significant, especially for those relying heavily on Linux servers using the ext4 filesystem, which is the default filesystem for many Linux distributions widely deployed in enterprise environments. Exploitation of this vulnerability could lead to kernel crashes (denial of service) or potentially enable attackers to execute arbitrary code with kernel privileges if combined with other vulnerabilities or conditions, thereby compromising system confidentiality, integrity, and availability. This is particularly critical for data centers, cloud providers, and critical infrastructure operators in Europe that depend on Linux-based systems for hosting services, databases, and applications. The use-after-free flaw could be triggered by local users or processes with write access to ext4 filesystems, which may include containerized environments or virtual machines running on Linux hosts. Although remote exploitation is less likely without additional attack vectors, insider threats or compromised accounts could leverage this vulnerability to escalate privileges or disrupt operations. Given the widespread use of Linux in European governmental, financial, and industrial sectors, unpatched systems could face operational disruptions, data loss, or unauthorized access risks.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched versions that include the fix for CVE-2024-49884. Specifically, they should: 1) Identify all systems running vulnerable Linux kernel versions, particularly those using ext4 filesystems. 2) Apply kernel updates from trusted Linux distribution vendors as soon as patches become available. 3) For environments where immediate patching is not feasible, consider temporarily restricting write operations to ext4 filesystems or isolating critical systems to limit exposure. 4) Enable and monitor kernel debugging and sanitization tools such as KASAN in test environments to detect similar memory corruption issues proactively. 5) Implement strict access controls and auditing on systems with ext4 filesystems to detect suspicious activities that might attempt to exploit this vulnerability. 6) Employ layered security controls such as SELinux or AppArmor to limit the impact of potential kernel exploits. 7) Regularly back up critical data and test recovery procedures to mitigate the impact of potential denial-of-service or data corruption incidents resulting from exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-49884: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.
AI-Powered Analysis
Technical Analysis
CVE-2024-49884 is a use-after-free vulnerability identified and resolved in the Linux kernel's ext4 filesystem implementation, specifically within the ext4_split_extent_at() function. The vulnerability arises during the handling of extent splitting operations, where the kernel improperly manages memory paths related to extent trees. The flaw occurs when ext4_find_extent() is called to update the path structure, which may have already been freed under certain error conditions (-ENOMEM or -EIO). This leads to a use-after-free scenario where the kernel attempts to access or manipulate memory that has been deallocated, causing undefined behavior. The issue is triggered during write operations involving ext4_do_writepages(), which calls ext4_map_blocks() and subsequently ext4_ext_map_blocks(), eventually reaching ext4_split_extent_at(). The vulnerability is detected by Kernel Address Sanitizer (KASAN) as a slab-use-after-free error, indicating a read of freed memory. The root cause is improper handling of the extent path pointer after an error return from ext4_find_extent(), leading to dereferencing a stale pointer. The fix involves careful management of the path pointer, avoiding use-after-free by not using *ppath directly when EXT_DEBUG is defined and preventing unnecessary path updates. This vulnerability affects Linux kernel versions containing the specified commit hash dfe5080939ea4686b3414b5d970a9b26733c57a4, which corresponds to recent kernel versions around 6.9.0. The vulnerability does not currently have known exploits in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-49884 can be significant, especially for those relying heavily on Linux servers using the ext4 filesystem, which is the default filesystem for many Linux distributions widely deployed in enterprise environments. Exploitation of this vulnerability could lead to kernel crashes (denial of service) or potentially enable attackers to execute arbitrary code with kernel privileges if combined with other vulnerabilities or conditions, thereby compromising system confidentiality, integrity, and availability. This is particularly critical for data centers, cloud providers, and critical infrastructure operators in Europe that depend on Linux-based systems for hosting services, databases, and applications. The use-after-free flaw could be triggered by local users or processes with write access to ext4 filesystems, which may include containerized environments or virtual machines running on Linux hosts. Although remote exploitation is less likely without additional attack vectors, insider threats or compromised accounts could leverage this vulnerability to escalate privileges or disrupt operations. Given the widespread use of Linux in European governmental, financial, and industrial sectors, unpatched systems could face operational disruptions, data loss, or unauthorized access risks.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched versions that include the fix for CVE-2024-49884. Specifically, they should: 1) Identify all systems running vulnerable Linux kernel versions, particularly those using ext4 filesystems. 2) Apply kernel updates from trusted Linux distribution vendors as soon as patches become available. 3) For environments where immediate patching is not feasible, consider temporarily restricting write operations to ext4 filesystems or isolating critical systems to limit exposure. 4) Enable and monitor kernel debugging and sanitization tools such as KASAN in test environments to detect similar memory corruption issues proactively. 5) Implement strict access controls and auditing on systems with ext4 filesystems to detect suspicious activities that might attempt to exploit this vulnerability. 6) Employ layered security controls such as SELinux or AppArmor to limit the impact of potential kernel exploits. 7) Regularly back up critical data and test recovery procedures to mitigate the impact of potential denial-of-service or data corruption incidents resulting from exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.022Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe08a3
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 9:11:58 PM
Last updated: 9/26/2025, 12:39:42 PM
Views: 13
Related Threats
CVE-2025-53354: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in zauberzeug nicegui
MediumCVE-2025-52653: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HCL HCL MyXalytics
HighCVE-2025-57714: CWE-428 in QNAP Systems Inc. NetBak Replicator
HighCVE-2025-54154: CWE-287 in QNAP Systems Inc. QNAP Authenticator
MediumCVE-2025-54153: CWE-89 in QNAP Systems Inc. Qsync Central
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.