CVE-2024-50217: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details: 1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV): / btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file) 3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF ! Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device().
AI Analysis
Technical Summary
CVE-2024-50217 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's Btrfs filesystem implementation. The flaw occurs in the __btrfs_free_extra_devids() function when mounting two Btrfs images that share the same filesystem ID (fsid) but have different device UUIDs (dev_uuids). The vulnerability arises due to improper handling of the 'bdev_file' pointer within btrfs_device structures. Specifically, when mounting two loopback devices (e.g., /dev/loop0 and /dev/loop1) representing these images, the kernel improperly frees the 'bdev_file' pointer of one device without nullifying it. Subsequent operations then attempt to access this freed pointer, leading to a use-after-free condition. This can cause memory corruption, potentially allowing an attacker with local privileges to execute arbitrary code with kernel privileges or cause a denial of service (kernel panic). The root cause is that after closing a btrfs_device, the 'bdev_file' pointer is not set to NULL in btrfs_close_one_device(), which the patch fixes by nullifying this pointer post-release. Exploitation requires local access with low privileges and no user interaction, but the attack vector is limited to scenarios where an attacker can mount crafted Btrfs images with specific UUID properties. The CVSS 3.1 score is 7.8 (high), reflecting the significant impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and privileges required.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to environments running Linux servers with Btrfs filesystems, which are increasingly used for their advanced features like snapshots and checksums. Exploitation could lead to privilege escalation, allowing attackers to gain kernel-level code execution, compromising system confidentiality and integrity. This could result in unauthorized data access, data tampering, or persistent backdoors. Additionally, successful exploitation could cause system crashes, impacting availability of critical services. Organizations relying on Linux-based infrastructure for cloud services, data centers, or critical applications could face operational disruptions. Given the local access requirement, insider threats or attackers who have gained limited access could leverage this vulnerability to escalate privileges. The lack of known exploits in the wild currently reduces immediate risk, but the high severity and straightforward exploitation path warrant urgent attention.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available. In the interim, restrict local access to systems running Btrfs filesystems by enforcing strict access controls and monitoring for suspicious mounting activities, especially involving loopback devices or unusual filesystem images. Employ kernel security modules (e.g., SELinux, AppArmor) to limit the capabilities of processes that can mount filesystems. Regularly audit and restrict the use of loop devices and mounting privileges to trusted users only. Implement comprehensive logging and alerting for mount operations and kernel errors that could indicate exploitation attempts. Consider isolating critical systems with Btrfs filesystems from untrusted users and networks to reduce attack surface. Finally, educate system administrators about this vulnerability and the importance of applying kernel updates promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-50217: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details: 1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV): / btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file) 3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF ! Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device().
AI-Powered Analysis
Technical Analysis
CVE-2024-50217 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's Btrfs filesystem implementation. The flaw occurs in the __btrfs_free_extra_devids() function when mounting two Btrfs images that share the same filesystem ID (fsid) but have different device UUIDs (dev_uuids). The vulnerability arises due to improper handling of the 'bdev_file' pointer within btrfs_device structures. Specifically, when mounting two loopback devices (e.g., /dev/loop0 and /dev/loop1) representing these images, the kernel improperly frees the 'bdev_file' pointer of one device without nullifying it. Subsequent operations then attempt to access this freed pointer, leading to a use-after-free condition. This can cause memory corruption, potentially allowing an attacker with local privileges to execute arbitrary code with kernel privileges or cause a denial of service (kernel panic). The root cause is that after closing a btrfs_device, the 'bdev_file' pointer is not set to NULL in btrfs_close_one_device(), which the patch fixes by nullifying this pointer post-release. Exploitation requires local access with low privileges and no user interaction, but the attack vector is limited to scenarios where an attacker can mount crafted Btrfs images with specific UUID properties. The CVSS 3.1 score is 7.8 (high), reflecting the significant impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and privileges required.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to environments running Linux servers with Btrfs filesystems, which are increasingly used for their advanced features like snapshots and checksums. Exploitation could lead to privilege escalation, allowing attackers to gain kernel-level code execution, compromising system confidentiality and integrity. This could result in unauthorized data access, data tampering, or persistent backdoors. Additionally, successful exploitation could cause system crashes, impacting availability of critical services. Organizations relying on Linux-based infrastructure for cloud services, data centers, or critical applications could face operational disruptions. Given the local access requirement, insider threats or attackers who have gained limited access could leverage this vulnerability to escalate privileges. The lack of known exploits in the wild currently reduces immediate risk, but the high severity and straightforward exploitation path warrant urgent attention.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates become available. In the interim, restrict local access to systems running Btrfs filesystems by enforcing strict access controls and monitoring for suspicious mounting activities, especially involving loopback devices or unusual filesystem images. Employ kernel security modules (e.g., SELinux, AppArmor) to limit the capabilities of processes that can mount filesystems. Regularly audit and restrict the use of loop devices and mounting privileges to trusted users only. Implement comprehensive logging and alerting for mount operations and kernel errors that could indicate exploitation attempts. Consider isolating critical systems with Btrfs filesystems from untrusted users and networks to reduce attack surface. Finally, educate system administrators about this vulnerability and the importance of applying kernel updates promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.972Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf570
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 7/2/2025, 11:27:24 PM
Last updated: 8/9/2025, 3:50:57 PM
Views: 17
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.