CVE-2024-50047: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.
AI Analysis
Technical Summary
CVE-2024-50047 is a use-after-free (UAF) vulnerability identified in the Linux kernel's SMB client implementation, specifically affecting the asynchronous decryption process used during large read operations over CIFS/SMB shares. The vulnerability arises from improper handling of the AEAD (Authenticated Encryption with Associated Data) transform (TFM) objects in the crypto API when performing asynchronous decryption. In the affected code, the same TFM is used concurrently for asynchronous operations, leading to a race condition where the memory associated with the TFM can be freed while still in use, causing a slab-use-after-free error. This can result in kernel crashes (denial of service) or potentially allow attackers to execute arbitrary code or escalate privileges if exploited further. The issue manifests when mounting SMB shares with specific options (e.g., seal and esize=1) and reading large files, triggering the asynchronous decryption path. The fix involves allocating a separate AEAD TFM for asynchronous decryption to avoid concurrent use of the same object, and removing unnecessary callback and wait calls since the operation is effectively synchronous. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using CIFS/SMB clients with encryption enabled. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and endpoints running Linux with SMB client functionality enabled, especially those accessing encrypted SMB shares. The impact includes potential kernel crashes leading to denial of service, which can disrupt critical file-sharing services and business operations. In more severe scenarios, exploitation could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. Organizations relying on Linux-based file servers, virtualization hosts, or cloud infrastructure that mount SMB shares are at heightened risk. Given the widespread use of Linux in enterprise environments across Europe, including government, finance, and industrial sectors, the vulnerability could affect a broad range of critical infrastructure. Additionally, the use of encrypted SMB traffic is common in environments requiring secure file transfers, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this flaw.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-50047 once available from their Linux distribution vendors. Until patches are deployed, organizations should consider the following mitigations: 1) Disable SMB encryption (seal) on CIFS mounts if feasible, to avoid triggering the vulnerable async decryption path; 2) Limit access to SMB shares from untrusted networks to reduce exposure; 3) Monitor kernel logs for signs of slab-use-after-free errors or crashes related to CIFS/SMB client operations; 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively; 5) Use network segmentation and strict firewall rules to restrict SMB traffic; 6) Regularly update Linux kernels and related packages to incorporate security fixes; 7) For virtualized environments, ensure hypervisor and guest OS kernels are patched to prevent cascading failures. These steps go beyond generic advice by focusing on SMB encryption settings and kernel-level monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-50047: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.
AI-Powered Analysis
Technical Analysis
CVE-2024-50047 is a use-after-free (UAF) vulnerability identified in the Linux kernel's SMB client implementation, specifically affecting the asynchronous decryption process used during large read operations over CIFS/SMB shares. The vulnerability arises from improper handling of the AEAD (Authenticated Encryption with Associated Data) transform (TFM) objects in the crypto API when performing asynchronous decryption. In the affected code, the same TFM is used concurrently for asynchronous operations, leading to a race condition where the memory associated with the TFM can be freed while still in use, causing a slab-use-after-free error. This can result in kernel crashes (denial of service) or potentially allow attackers to execute arbitrary code or escalate privileges if exploited further. The issue manifests when mounting SMB shares with specific options (e.g., seal and esize=1) and reading large files, triggering the asynchronous decryption path. The fix involves allocating a separate AEAD TFM for asynchronous decryption to avoid concurrent use of the same object, and removing unnecessary callback and wait calls since the operation is effectively synchronous. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using CIFS/SMB clients with encryption enabled. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and endpoints running Linux with SMB client functionality enabled, especially those accessing encrypted SMB shares. The impact includes potential kernel crashes leading to denial of service, which can disrupt critical file-sharing services and business operations. In more severe scenarios, exploitation could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. Organizations relying on Linux-based file servers, virtualization hosts, or cloud infrastructure that mount SMB shares are at heightened risk. Given the widespread use of Linux in enterprise environments across Europe, including government, finance, and industrial sectors, the vulnerability could affect a broad range of critical infrastructure. Additionally, the use of encrypted SMB traffic is common in environments requiring secure file transfers, increasing the attack surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this flaw.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2024-50047 once available from their Linux distribution vendors. Until patches are deployed, organizations should consider the following mitigations: 1) Disable SMB encryption (seal) on CIFS mounts if feasible, to avoid triggering the vulnerable async decryption path; 2) Limit access to SMB shares from untrusted networks to reduce exposure; 3) Monitor kernel logs for signs of slab-use-after-free errors or crashes related to CIFS/SMB client operations; 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively; 5) Use network segmentation and strict firewall rules to restrict SMB traffic; 6) Regularly update Linux kernels and related packages to incorporate security fixes; 7) For virtualized environments, ensure hypervisor and guest OS kernels are patched to prevent cascading failures. These steps go beyond generic advice by focusing on SMB encryption settings and kernel-level monitoring specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.071Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfdd0
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 4:41:09 PM
Last updated: 8/14/2025, 7:05:39 AM
Views: 19
Related Threats
CVE-2025-8958: Stack-based Buffer Overflow in Tenda TX3
HighCVE-2025-8957: SQL Injection in Campcodes Online Flight Booking Management System
MediumCVE-2025-54707: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in RealMag777 MDTF
CriticalCVE-2025-54706: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Noor Alam Magical Posts Display
MediumCVE-2025-54705: CWE-862 Missing Authorization in magepeopleteam WpEvently
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.