CVE-2024-49903: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits [syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition.
AI Analysis
Technical Summary
CVE-2024-49903 is a use-after-free (UAF) vulnerability identified in the Linux kernel's JFS (Journaled File System) implementation. The flaw arises due to a race condition between two code paths, dbUnmount and jfs_ioc_trim, which concurrently access and manipulate the bmap (block map) data structure without proper synchronization. This leads to a scenario where memory is freed but subsequently accessed, causing a use-after-free condition. The vulnerability was detected and reported by syzbot, a kernel fuzzing infrastructure, and is confirmed by Kernel Address Sanitizer (KASAN) reports indicating slab-use-after-free errors in mutex locking routines and JFS-specific functions. The root cause is the lack of locking around the s_umount mutex, which is now introduced to synchronize these paths and prevent the race condition. Exploiting this vulnerability could allow an attacker with local access to trigger kernel memory corruption, potentially leading to privilege escalation, denial of service (kernel panic), or arbitrary code execution within the kernel context. The vulnerability affects Linux kernel versions prior to the patch, including the 6.11.0-rc3 release candidate referenced in the report. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The vulnerability requires local code execution capability to trigger the race condition and does not appear to require user interaction beyond invoking specific filesystem operations on JFS volumes.
Potential Impact
For European organizations, the impact of CVE-2024-49903 can be significant, especially for those relying on Linux servers running JFS volumes. Although JFS is less common than other filesystems like ext4 or XFS, it is still used in certain legacy systems and specialized environments. Successful exploitation could allow attackers with local access to escalate privileges to root, compromising confidentiality, integrity, and availability of critical systems. This could lead to unauthorized data access, system downtime, or persistent backdoors within infrastructure. The vulnerability poses a higher risk in multi-tenant environments such as cloud providers or shared hosting platforms where attackers may gain local code execution through container escapes or other means. Additionally, industrial control systems or embedded devices running Linux with JFS may be vulnerable, potentially impacting critical infrastructure sectors in Europe. Given the complexity of exploitation, the threat is more relevant to organizations with advanced threat actors or insider threats capable of executing local code on affected systems.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel updates that fix the race condition by introducing the s_umount mutex lock to synchronize access to the bmap structures in JFS. Monitor Linux kernel mailing lists and vendor advisories for backported patches if using enterprise distributions. 2. Filesystem audit: Identify and inventory systems using JFS volumes and assess their exposure. Where feasible, migrate critical data from JFS to more widely supported and actively maintained filesystems such as ext4 or XFS to reduce attack surface. 3. Access control hardening: Restrict local access to systems running JFS, employing strict user privilege separation and minimizing the number of users with local shell or code execution rights. 4. Kernel hardening: Enable kernel security features such as KASAN, SELinux/AppArmor, and kernel lockdown modes to detect or prevent exploitation attempts. 5. Monitoring and detection: Implement monitoring for unusual kernel crashes or logs indicative of use-after-free conditions, and deploy host-based intrusion detection systems to detect anomalous filesystem ioctl calls or suspicious kernel behavior. 6. Incident response readiness: Prepare for potential exploitation scenarios by establishing procedures to isolate affected systems and perform forensic analysis if exploitation is suspected.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2024-49903: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits [syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition.
AI-Powered Analysis
Technical Analysis
CVE-2024-49903 is a use-after-free (UAF) vulnerability identified in the Linux kernel's JFS (Journaled File System) implementation. The flaw arises due to a race condition between two code paths, dbUnmount and jfs_ioc_trim, which concurrently access and manipulate the bmap (block map) data structure without proper synchronization. This leads to a scenario where memory is freed but subsequently accessed, causing a use-after-free condition. The vulnerability was detected and reported by syzbot, a kernel fuzzing infrastructure, and is confirmed by Kernel Address Sanitizer (KASAN) reports indicating slab-use-after-free errors in mutex locking routines and JFS-specific functions. The root cause is the lack of locking around the s_umount mutex, which is now introduced to synchronize these paths and prevent the race condition. Exploiting this vulnerability could allow an attacker with local access to trigger kernel memory corruption, potentially leading to privilege escalation, denial of service (kernel panic), or arbitrary code execution within the kernel context. The vulnerability affects Linux kernel versions prior to the patch, including the 6.11.0-rc3 release candidate referenced in the report. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The vulnerability requires local code execution capability to trigger the race condition and does not appear to require user interaction beyond invoking specific filesystem operations on JFS volumes.
Potential Impact
For European organizations, the impact of CVE-2024-49903 can be significant, especially for those relying on Linux servers running JFS volumes. Although JFS is less common than other filesystems like ext4 or XFS, it is still used in certain legacy systems and specialized environments. Successful exploitation could allow attackers with local access to escalate privileges to root, compromising confidentiality, integrity, and availability of critical systems. This could lead to unauthorized data access, system downtime, or persistent backdoors within infrastructure. The vulnerability poses a higher risk in multi-tenant environments such as cloud providers or shared hosting platforms where attackers may gain local code execution through container escapes or other means. Additionally, industrial control systems or embedded devices running Linux with JFS may be vulnerable, potentially impacting critical infrastructure sectors in Europe. Given the complexity of exploitation, the threat is more relevant to organizations with advanced threat actors or insider threats capable of executing local code on affected systems.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel updates that fix the race condition by introducing the s_umount mutex lock to synchronize access to the bmap structures in JFS. Monitor Linux kernel mailing lists and vendor advisories for backported patches if using enterprise distributions. 2. Filesystem audit: Identify and inventory systems using JFS volumes and assess their exposure. Where feasible, migrate critical data from JFS to more widely supported and actively maintained filesystems such as ext4 or XFS to reduce attack surface. 3. Access control hardening: Restrict local access to systems running JFS, employing strict user privilege separation and minimizing the number of users with local shell or code execution rights. 4. Kernel hardening: Enable kernel security features such as KASAN, SELinux/AppArmor, and kernel lockdown modes to detect or prevent exploitation attempts. 5. Monitoring and detection: Implement monitoring for unusual kernel crashes or logs indicative of use-after-free conditions, and deploy host-based intrusion detection systems to detect anomalous filesystem ioctl calls or suspicious kernel behavior. 6. Incident response readiness: Prepare for potential exploitation scenarios by establishing procedures to isolate affected systems and perform forensic analysis if exploitation is suspected.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.027Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0940
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 9:26:13 PM
Last updated: 8/11/2025, 11:01:39 PM
Views: 13
Related Threats
CVE-2025-8926: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-43986: n/a
UnknownCVE-2025-43982: n/a
CriticalCVE-2025-8925: SQL Injection in itsourcecode Sports Management System
MediumCVE-2025-8924: SQL Injection in Campcodes Online Water Billing System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.