CVE-2024-50121: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net.
AI Analysis
Technical Summary
CVE-2024-50121 is a high-severity vulnerability in the Linux kernel's NFS server (nfsd) subsystem, specifically related to the handling of client state during shutdown sequences. The vulnerability arises from a race condition between the nfsd_client_shrinker workqueue and the nfs4_state_shutdown_net function, which is triggered when the number of NFS server threads is set to zero via the command `echo 0 > /proc/fs/nfsd/threads`. Under normal operation, this command initiates the release of all resources associated with hashed nfs4_client structures. However, if the nfsd_client_shrinker is concurrently running, it may attempt to unhash and destroy a client that is already being destroyed by nfs4_state_shutdown_net. This leads to use-after-free conditions and kernel warnings related to slab cache shutdowns for nfsd_file and nfsd_file_mark objects. The root cause is that nfs4_state_shutdown_net does not synchronously cancel the nfsd_shrinker_work, allowing concurrent access to freed memory. The vulnerability is classified under CWE-416 (Use After Free), which can lead to memory corruption, kernel crashes, or potentially privilege escalation if exploited. The fix involves modifying nfs4_state_shutdown_net to cancel the nfsd_shrinker_work synchronously, ensuring no concurrent access to freed client structures during shutdown. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring low privileges but no user interaction.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any infrastructure running Linux servers with NFS services enabled, particularly those using kernel versions affected by this flaw. Exploitation could lead to denial of service via kernel crashes or potentially allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. This is critical for sectors relying on NFS for file sharing and storage, such as financial institutions, research centers, and government agencies. The vulnerability could disrupt business continuity, lead to data breaches, or facilitate lateral movement within networks. Given the widespread use of Linux in enterprise environments across Europe, the potential impact is broad, affecting cloud providers, data centers, and on-premises servers. The requirement for local privileges to exploit somewhat limits remote attack vectors but does not eliminate risk, especially in multi-tenant or shared environments.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that the synchronous cancellation of nfsd_shrinker_work is implemented. Until patches are applied, administrators should consider disabling NFS server functionality if not essential, or limit access to NFS services to trusted users and networks. Monitoring kernel logs for warnings related to nfsd_file or nfsd_file_mark slab cache shutdowns can help detect exploitation attempts. Employing kernel live patching solutions where available can reduce downtime during remediation. Additionally, enforcing strict access controls and privilege separation on systems running NFS servers will reduce the risk of local privilege escalation. Regularly auditing and updating Linux kernel versions and NFS configurations is critical. Finally, organizations should review and harden their incident response plans to quickly address potential kernel-level compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-50121: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net.
AI-Powered Analysis
Technical Analysis
CVE-2024-50121 is a high-severity vulnerability in the Linux kernel's NFS server (nfsd) subsystem, specifically related to the handling of client state during shutdown sequences. The vulnerability arises from a race condition between the nfsd_client_shrinker workqueue and the nfs4_state_shutdown_net function, which is triggered when the number of NFS server threads is set to zero via the command `echo 0 > /proc/fs/nfsd/threads`. Under normal operation, this command initiates the release of all resources associated with hashed nfs4_client structures. However, if the nfsd_client_shrinker is concurrently running, it may attempt to unhash and destroy a client that is already being destroyed by nfs4_state_shutdown_net. This leads to use-after-free conditions and kernel warnings related to slab cache shutdowns for nfsd_file and nfsd_file_mark objects. The root cause is that nfs4_state_shutdown_net does not synchronously cancel the nfsd_shrinker_work, allowing concurrent access to freed memory. The vulnerability is classified under CWE-416 (Use After Free), which can lead to memory corruption, kernel crashes, or potentially privilege escalation if exploited. The fix involves modifying nfs4_state_shutdown_net to cancel the nfsd_shrinker_work synchronously, ensuring no concurrent access to freed client structures during shutdown. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring low privileges but no user interaction.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any infrastructure running Linux servers with NFS services enabled, particularly those using kernel versions affected by this flaw. Exploitation could lead to denial of service via kernel crashes or potentially allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality and integrity. This is critical for sectors relying on NFS for file sharing and storage, such as financial institutions, research centers, and government agencies. The vulnerability could disrupt business continuity, lead to data breaches, or facilitate lateral movement within networks. Given the widespread use of Linux in enterprise environments across Europe, the potential impact is broad, affecting cloud providers, data centers, and on-premises servers. The requirement for local privileges to exploit somewhat limits remote attack vectors but does not eliminate risk, especially in multi-tenant or shared environments.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that the synchronous cancellation of nfsd_shrinker_work is implemented. Until patches are applied, administrators should consider disabling NFS server functionality if not essential, or limit access to NFS services to trusted users and networks. Monitoring kernel logs for warnings related to nfsd_file or nfsd_file_mark slab cache shutdowns can help detect exploitation attempts. Employing kernel live patching solutions where available can reduce downtime during remediation. Additionally, enforcing strict access controls and privilege separation on systems running NFS servers will reduce the risk of local privilege escalation. Regularly auditing and updating Linux kernel versions and NFS configurations is critical. Finally, organizations should review and harden their incident response plans to quickly address potential kernel-level compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.953Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbdffef
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 7/2/2025, 11:55:30 PM
Last updated: 8/7/2025, 2:57:09 AM
Views: 14
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.