CVE-2024-53095: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free of network namespace. Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0] The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying. The root cause is wrong reference counting for network namespace. CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens. The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFS We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers. Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne ---truncated---
AI Analysis
Technical Summary
CVE-2024-53095 is a high-severity use-after-free vulnerability in the Linux kernel's CIFS (Common Internet File System) client implementation. The root cause lies in incorrect reference counting of network namespaces (netns) when CIFS mounts are performed within non-root network namespaces, a scenario common in containerized environments such as Kubernetes. Specifically, CIFS uses kernel sockets that do not maintain a reference count on the network namespace they belong to. This can lead to a situation where the network namespace is destroyed while sockets still reference it, causing a use-after-free condition. This flaw manifests during pod termination in Kubernetes when CIFS mounts are unmounted after the network namespace is destroyed, especially if network packets are dropped or delayed. The vulnerability can cause kernel oops (crashes) and memory corruption, potentially leading to system instability or escalation of privileges. The issue is exacerbated by asynchronous TCP timers that complicate guaranteeing the network namespace's lifetime without proper reference counting. The fix involves holding a reference count on the network namespace for each socket, moving the put_net() call to ensure the socket is freed before the netns is destroyed, and careful ordering of socket creation and destruction to avoid race conditions. The vulnerability is tracked as CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. It affects Linux kernel versions including those used in Amazon Linux 2 (kernel 6.1.103) on ARM64 architectures, commonly deployed in cloud and container environments. No known exploits are currently reported in the wild, but the conditions for exploitation exist in modern container orchestration platforms that use CIFS mounts in non-root network namespaces.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those leveraging Linux-based containerized workloads orchestrated by Kubernetes or similar platforms, and using CIFS mounts for network file shares. The use-after-free can cause kernel crashes leading to denial of service, disrupting critical applications and services. Furthermore, the memory corruption could be leveraged by a local attacker or compromised container to escalate privileges or execute arbitrary code within the kernel context, threatening confidentiality and integrity of sensitive data. Enterprises in sectors such as finance, manufacturing, cloud service providers, and public administration that rely on Linux servers and containerized infrastructure are particularly at risk. The impact is amplified in multi-tenant environments where isolation depends on network namespaces. Disruptions could affect service availability and compliance with data protection regulations like GDPR if sensitive data is exposed or systems are compromised. The complexity of the bug and its manifestation during pod termination also complicates detection and remediation, increasing operational risk.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-53095 as soon as it becomes available. Until patched, mitigate risk by avoiding the use of CIFS mounts within non-root network namespaces, or by limiting the use of CIFS in containerized environments. Implement strict network policies to minimize packet loss or drops that trigger the bug. Monitor kernel logs for signs of CIFS-related oops or crashes, especially during pod shutdown events. Employ runtime security tools capable of detecting anomalous kernel behavior. For Kubernetes clusters, consider isolating workloads that require CIFS mounts to root network namespaces or dedicated nodes with patched kernels. Engage with Linux distribution vendors for backported patches if using long-term support kernels. Additionally, review container orchestration and storage configurations to reduce reliance on CIFS where possible, migrating to more robust network file systems or storage solutions. Conduct thorough testing of container lifecycle operations involving CIFS mounts in staging environments to detect potential crashes before production deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain
CVE-2024-53095: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free of network namespace. Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0] The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying. The root cause is wrong reference counting for network namespace. CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens. The repro steps are roughly: 1. mount CIFS in a non-root netns 2. drop packets from the netns 3. destroy the netns 4. unmount CIFS We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers. Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53095 is a high-severity use-after-free vulnerability in the Linux kernel's CIFS (Common Internet File System) client implementation. The root cause lies in incorrect reference counting of network namespaces (netns) when CIFS mounts are performed within non-root network namespaces, a scenario common in containerized environments such as Kubernetes. Specifically, CIFS uses kernel sockets that do not maintain a reference count on the network namespace they belong to. This can lead to a situation where the network namespace is destroyed while sockets still reference it, causing a use-after-free condition. This flaw manifests during pod termination in Kubernetes when CIFS mounts are unmounted after the network namespace is destroyed, especially if network packets are dropped or delayed. The vulnerability can cause kernel oops (crashes) and memory corruption, potentially leading to system instability or escalation of privileges. The issue is exacerbated by asynchronous TCP timers that complicate guaranteeing the network namespace's lifetime without proper reference counting. The fix involves holding a reference count on the network namespace for each socket, moving the put_net() call to ensure the socket is freed before the netns is destroyed, and careful ordering of socket creation and destruction to avoid race conditions. The vulnerability is tracked as CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. It affects Linux kernel versions including those used in Amazon Linux 2 (kernel 6.1.103) on ARM64 architectures, commonly deployed in cloud and container environments. No known exploits are currently reported in the wild, but the conditions for exploitation exist in modern container orchestration platforms that use CIFS mounts in non-root network namespaces.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those leveraging Linux-based containerized workloads orchestrated by Kubernetes or similar platforms, and using CIFS mounts for network file shares. The use-after-free can cause kernel crashes leading to denial of service, disrupting critical applications and services. Furthermore, the memory corruption could be leveraged by a local attacker or compromised container to escalate privileges or execute arbitrary code within the kernel context, threatening confidentiality and integrity of sensitive data. Enterprises in sectors such as finance, manufacturing, cloud service providers, and public administration that rely on Linux servers and containerized infrastructure are particularly at risk. The impact is amplified in multi-tenant environments where isolation depends on network namespaces. Disruptions could affect service availability and compliance with data protection regulations like GDPR if sensitive data is exposed or systems are compromised. The complexity of the bug and its manifestation during pod termination also complicates detection and remediation, increasing operational risk.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-53095 as soon as it becomes available. Until patched, mitigate risk by avoiding the use of CIFS mounts within non-root network namespaces, or by limiting the use of CIFS in containerized environments. Implement strict network policies to minimize packet loss or drops that trigger the bug. Monitor kernel logs for signs of CIFS-related oops or crashes, especially during pod shutdown events. Employ runtime security tools capable of detecting anomalous kernel behavior. For Kubernetes clusters, consider isolating workloads that require CIFS mounts to root network namespaces or dedicated nodes with patched kernels. Engage with Linux distribution vendors for backported patches if using long-term support kernels. Additionally, review container orchestration and storage configurations to reduce reliance on CIFS where possible, migrating to more robust network file systems or storage solutions. Conduct thorough testing of container lifecycle operations involving CIFS mounts in staging environments to detect potential crashes before production deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:24.982Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf999
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 7/2/2025, 11:42:39 PM
Last updated: 8/12/2025, 3:32:18 PM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.