CVE-2024-50106: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely.
AI Analysis
Technical Summary
CVE-2024-50106 is a high-severity use-after-free vulnerability in the Linux kernel's NFS server daemon (nfsd), specifically affecting the handling of state IDs (stid) related to NFSv4 delegations. The vulnerability arises from a race condition between the laundromat thread, which manages expired delegation revocations, and a client thread processing the free_stateid operation. When a delegation expires, the laundromat marks the delegation's stid as revoked and places it on a reaper list before unlocking the state lock. Concurrently, a free_stateid thread may remove the stid from the reaper list and free its memory without proper synchronization. This leads to a use-after-free scenario when a new open operation on the same file attempts to access the freed stid, causing kernel memory corruption and triggering Kernel Address Sanitizer (KASAN) warnings. The root cause is the improper coordination between the laundromat and free_stateid operations, resulting in the laundromat skipping the revoke_delegation() call and failing to release the file lease lock. The patch introduces two new stid status values to coordinate these operations, ensuring that once a stid is marked revoked, it is not prematurely removed or freed. It also adjusts the handling of delegation returns to correctly return nfserr_deleg_revoked instead of nfserr_bad_stateid, preventing indefinite retention of revoked delegations on the cl_revoked list. This vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, reflecting its high impact on confidentiality, integrity, and availability. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to kernel crashes or potentially privilege escalation due to memory corruption.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and service providers relying on Linux-based NFS servers for file sharing and storage. The use-after-free flaw can cause kernel crashes leading to denial of service (DoS) conditions, disrupting critical business operations and data availability. More critically, memory corruption vulnerabilities in the kernel can be leveraged by attackers with local access to escalate privileges, potentially compromising entire systems and sensitive data. Organizations in sectors such as finance, healthcare, government, and telecommunications, which often use NFS for shared storage, are particularly at risk. The vulnerability's exploitation could lead to unauthorized data access, data integrity violations, and prolonged service outages. Given the widespread deployment of Linux servers across Europe, the impact could be broad, affecting both private enterprises and public sector infrastructure.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-50106 as soon as they become available. Until patches are deployed, organizations should: 1) Restrict local access to NFS servers to trusted users only, minimizing the risk of exploitation by unprivileged users. 2) Implement strict access controls and monitoring on NFS server processes to detect anomalous behavior indicative of exploitation attempts. 3) Consider temporarily disabling NFSv4 delegation features if feasible, as the vulnerability specifically involves delegation state handling. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5) Maintain up-to-date intrusion detection and prevention systems capable of identifying exploitation patterns targeting NFS services. 6) Conduct thorough audits of NFS server configurations and usage to ensure minimal exposure. These measures, combined with timely patching, will reduce the risk and impact of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-50106: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely.
AI-Powered Analysis
Technical Analysis
CVE-2024-50106 is a high-severity use-after-free vulnerability in the Linux kernel's NFS server daemon (nfsd), specifically affecting the handling of state IDs (stid) related to NFSv4 delegations. The vulnerability arises from a race condition between the laundromat thread, which manages expired delegation revocations, and a client thread processing the free_stateid operation. When a delegation expires, the laundromat marks the delegation's stid as revoked and places it on a reaper list before unlocking the state lock. Concurrently, a free_stateid thread may remove the stid from the reaper list and free its memory without proper synchronization. This leads to a use-after-free scenario when a new open operation on the same file attempts to access the freed stid, causing kernel memory corruption and triggering Kernel Address Sanitizer (KASAN) warnings. The root cause is the improper coordination between the laundromat and free_stateid operations, resulting in the laundromat skipping the revoke_delegation() call and failing to release the file lease lock. The patch introduces two new stid status values to coordinate these operations, ensuring that once a stid is marked revoked, it is not prematurely removed or freed. It also adjusts the handling of delegation returns to correctly return nfserr_deleg_revoked instead of nfserr_bad_stateid, preventing indefinite retention of revoked delegations on the cl_revoked list. This vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, reflecting its high impact on confidentiality, integrity, and availability. Exploitation requires local privileges with low complexity and no user interaction, but it can lead to kernel crashes or potentially privilege escalation due to memory corruption.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and service providers relying on Linux-based NFS servers for file sharing and storage. The use-after-free flaw can cause kernel crashes leading to denial of service (DoS) conditions, disrupting critical business operations and data availability. More critically, memory corruption vulnerabilities in the kernel can be leveraged by attackers with local access to escalate privileges, potentially compromising entire systems and sensitive data. Organizations in sectors such as finance, healthcare, government, and telecommunications, which often use NFS for shared storage, are particularly at risk. The vulnerability's exploitation could lead to unauthorized data access, data integrity violations, and prolonged service outages. Given the widespread deployment of Linux servers across Europe, the impact could be broad, affecting both private enterprises and public sector infrastructure.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-50106 as soon as they become available. Until patches are deployed, organizations should: 1) Restrict local access to NFS servers to trusted users only, minimizing the risk of exploitation by unprivileged users. 2) Implement strict access controls and monitoring on NFS server processes to detect anomalous behavior indicative of exploitation attempts. 3) Consider temporarily disabling NFSv4 delegation features if feasible, as the vulnerability specifically involves delegation state handling. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5) Maintain up-to-date intrusion detection and prevention systems capable of identifying exploitation patterns targeting NFS services. 6) Conduct thorough audits of NFS server configurations and usage to ensure minimal exposure. These measures, combined with timely patching, will reduce the risk and impact of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.946Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbdff71
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 7/2/2025, 11:55:04 PM
Last updated: 8/16/2025, 6:40:29 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.