CVE-2024-50151: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb
AI Analysis
Technical Summary
CVE-2024-50151 is a vulnerability identified in the Linux kernel's SMB (Server Message Block) client implementation, specifically affecting the handling of SMB2_IOCTL requests when encryption is enabled. The issue arises in the smb2_set_next_command() function, which is responsible for consolidating compound SMB2 request buffers into a single I/O vector (iov) for encryption purposes. When the SMB client uses encryption—either enforced by the server or via the 'seal' mount option—the client compresses all compound request buffers into a single iov. The vulnerability occurs because SMB2_ioctl_init() allocates a fixed small buffer of 448 bytes for the SMB2_IOCTL request, but if the user provides an input buffer larger than 328 bytes, smb2_set_next_command() writes beyond the allocated buffer boundary. This results in an out-of-bounds write, which is detected by Kernel Address Sanitizer (KASAN) as a slab-out-of-bounds error. The provided example demonstrates that creating a symbolic link with a large target name (e.g., 1024 'a' characters) on a CIFS-mounted share with the 'seal' option triggers the bug, leading to a kernel crash. The root cause is a buffer overflow due to improper size validation and buffer allocation mismatch in the SMB2_IOCTL request handling path. This vulnerability can lead to memory corruption in the kernel space, potentially causing system instability, crashes (denial of service), or could be leveraged for privilege escalation or arbitrary code execution if exploited further. However, as of the published information, no known exploits are reported in the wild. The vulnerability affects Linux kernel versions containing the specified commit hashes, indicating it is present in recent or development versions around kernel 6.12-rc3. No CVSS score is assigned yet, and no patches or mitigations are linked in the provided data, but the issue is publicly disclosed and should be addressed promptly by Linux kernel maintainers.
Potential Impact
For European organizations, the impact of CVE-2024-50151 can be significant, especially for those relying on Linux-based servers and workstations that mount SMB shares with encryption enabled. The vulnerability can cause kernel crashes leading to denial of service, disrupting critical business operations and services. In environments where SMB shares are used extensively for file sharing, collaboration, or application data storage, this can affect availability and operational continuity. Additionally, if attackers develop exploits leveraging this out-of-bounds write, they could potentially execute arbitrary code with kernel privileges, compromising confidentiality and integrity of sensitive data. This risk is heightened in sectors with high reliance on Linux infrastructure, such as finance, telecommunications, government, and cloud service providers prevalent in Europe. The vulnerability also poses a threat to multi-tenant cloud environments and virtualized infrastructures common in European data centers. Given the kernel-level nature of the flaw, successful exploitation could bypass many security controls, making remediation critical to prevent potential escalations and data breaches.
Mitigation Recommendations
1. Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is patched once available from the official Linux kernel maintainers or distribution vendors. Monitor vendor advisories for patches addressing CVE-2024-50151. 2. Until patches are applied, organizations should consider disabling SMB encryption ('seal' option) on CIFS mounts if feasible, to avoid triggering the vulnerable code path, understanding this reduces SMB traffic security. 3. Restrict the ability of unprivileged users to create symbolic links or perform operations that could trigger the vulnerability on CIFS mounts, using strict access controls and filesystem permissions. 4. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect and analyze potential exploitation attempts. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts or crashes related to smb2_set_next_command. 6. Implement network segmentation and limit SMB traffic exposure to trusted networks to reduce attack surface. 7. Engage in proactive vulnerability management and incident response planning to quickly address any exploitation attempts. These steps go beyond generic advice by focusing on configuration adjustments and operational controls specific to the SMB client encryption context and Linux kernel environment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-50151: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOBs when building SMB2_IOCTL request When using encryption, either enforced by the server or when using 'seal' mount option, the client will squash all compound request buffers down for encryption into a single iov in smb2_set_next_command(). SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the SMB2_IOCTL request in the first iov, and if the user passes an input buffer that is greater than 328 bytes, smb2_set_next_command() will end up writing off the end of @rqst->iov[0].iov_base as shown below: mount.cifs //srv/share /mnt -o ...,seal ln -s $(perl -e "print('a')for 1..1024") /mnt/link BUG: KASAN: slab-out-of-bounds in smb2_set_next_command.cold+0x1d6/0x24c [cifs] Write of size 4116 at addr ffff8881148fcab8 by task ln/859 CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] print_report+0x156/0x4d9 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] ? __virt_addr_valid+0x145/0x310 ? __phys_addr+0x46/0x90 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_report+0xda/0x110 ? smb2_set_next_command.cold+0x1d6/0x24c [cifs] kasan_check_range+0x10f/0x1f0 __asan_memcpy+0x3c/0x60 smb2_set_next_command.cold+0x1d6/0x24c [cifs] smb2_compound_op+0x238c/0x3840 [cifs] ? kasan_save_track+0x14/0x30 ? kasan_save_free_info+0x3b/0x70 ? vfs_symlink+0x1a1/0x2c0 ? do_symlinkat+0x108/0x1c0 ? __pfx_smb2_compound_op+0x10/0x10 [cifs] ? kmem_cache_free+0x118/0x3e0 ? cifs_get_writable_path+0xeb/0x1a0 [cifs] smb2_get_reparse_inode+0x423/0x540 [cifs] ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? __kmalloc_noprof+0x37c/0x480 ? smb2_create_reparse_symlink+0x257/0x490 [cifs] ? smb2_create_reparse_symlink+0x38f/0x490 [cifs] smb2_create_reparse_symlink+0x38f/0x490 [cifs] ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs] ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs] cifs_symlink+0x24f/0x960 [cifs] ? __pfx_make_vfsuid+0x10/0x10 ? __pfx_cifs_symlink+0x10/0x10 [cifs] ? make_vfsgid+0x6b/0xc0 ? generic_permission+0x96/0x2d0 vfs_symlink+0x1a1/0x2c0 do_symlinkat+0x108/0x1c0 ? __pfx_do_symlinkat+0x10/0x10 ? strncpy_from_user+0xaa/0x160 __x64_sys_symlinkat+0xb9/0xf0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08d75c13bb
AI-Powered Analysis
Technical Analysis
CVE-2024-50151 is a vulnerability identified in the Linux kernel's SMB (Server Message Block) client implementation, specifically affecting the handling of SMB2_IOCTL requests when encryption is enabled. The issue arises in the smb2_set_next_command() function, which is responsible for consolidating compound SMB2 request buffers into a single I/O vector (iov) for encryption purposes. When the SMB client uses encryption—either enforced by the server or via the 'seal' mount option—the client compresses all compound request buffers into a single iov. The vulnerability occurs because SMB2_ioctl_init() allocates a fixed small buffer of 448 bytes for the SMB2_IOCTL request, but if the user provides an input buffer larger than 328 bytes, smb2_set_next_command() writes beyond the allocated buffer boundary. This results in an out-of-bounds write, which is detected by Kernel Address Sanitizer (KASAN) as a slab-out-of-bounds error. The provided example demonstrates that creating a symbolic link with a large target name (e.g., 1024 'a' characters) on a CIFS-mounted share with the 'seal' option triggers the bug, leading to a kernel crash. The root cause is a buffer overflow due to improper size validation and buffer allocation mismatch in the SMB2_IOCTL request handling path. This vulnerability can lead to memory corruption in the kernel space, potentially causing system instability, crashes (denial of service), or could be leveraged for privilege escalation or arbitrary code execution if exploited further. However, as of the published information, no known exploits are reported in the wild. The vulnerability affects Linux kernel versions containing the specified commit hashes, indicating it is present in recent or development versions around kernel 6.12-rc3. No CVSS score is assigned yet, and no patches or mitigations are linked in the provided data, but the issue is publicly disclosed and should be addressed promptly by Linux kernel maintainers.
Potential Impact
For European organizations, the impact of CVE-2024-50151 can be significant, especially for those relying on Linux-based servers and workstations that mount SMB shares with encryption enabled. The vulnerability can cause kernel crashes leading to denial of service, disrupting critical business operations and services. In environments where SMB shares are used extensively for file sharing, collaboration, or application data storage, this can affect availability and operational continuity. Additionally, if attackers develop exploits leveraging this out-of-bounds write, they could potentially execute arbitrary code with kernel privileges, compromising confidentiality and integrity of sensitive data. This risk is heightened in sectors with high reliance on Linux infrastructure, such as finance, telecommunications, government, and cloud service providers prevalent in Europe. The vulnerability also poses a threat to multi-tenant cloud environments and virtualized infrastructures common in European data centers. Given the kernel-level nature of the flaw, successful exploitation could bypass many security controls, making remediation critical to prevent potential escalations and data breaches.
Mitigation Recommendations
1. Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is patched once available from the official Linux kernel maintainers or distribution vendors. Monitor vendor advisories for patches addressing CVE-2024-50151. 2. Until patches are applied, organizations should consider disabling SMB encryption ('seal' option) on CIFS mounts if feasible, to avoid triggering the vulnerable code path, understanding this reduces SMB traffic security. 3. Restrict the ability of unprivileged users to create symbolic links or perform operations that could trigger the vulnerability on CIFS mounts, using strict access controls and filesystem permissions. 4. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect and analyze potential exploitation attempts. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts or crashes related to smb2_set_next_command. 6. Implement network segmentation and limit SMB traffic exposure to trusted networks to reduce attack surface. 7. Engage in proactive vulnerability management and incident response planning to quickly address any exploitation attempts. These steps go beyond generic advice by focusing on configuration adjustments and operational controls specific to the SMB client encryption context and Linux kernel environment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.959Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0100
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 5:55:25 PM
Last updated: 8/16/2025, 12:41:43 AM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.