CVE-2024-53166: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix bfqq uaf in bfq_limit_depth() Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50 Call Trace: <TASK> dump_stack_lvl+0x47/0x80 print_address_description.constprop.0+0x66/0x300 print_report+0x3e/0x70 kasan_report+0xb4/0xf0 bfqq_group+0x15/0x50 bfqq_request_over_limit+0x130/0x9a0 bfq_limit_depth+0x1b5/0x480 __blk_mq_alloc_requests+0x2b5/0xa00 blk_mq_get_new_requests+0x11d/0x1d0 blk_mq_submit_bio+0x286/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __block_write_full_folio+0x3d0/0x640 writepage_cb+0x3b/0xc0 write_cache_pages+0x254/0x6c0 write_cache_pages+0x254/0x6c0 do_writepages+0x192/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 808602: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x83/0x90 kmem_cache_alloc_node+0x1b1/0x6d0 bfq_get_queue+0x138/0xfa0 bfq_get_bfqq_handle_split+0xe3/0x2c0 bfq_init_rq+0x196/0xbb0 bfq_insert_request.isra.0+0xb5/0x480 bfq_insert_requests+0x156/0x180 blk_mq_insert_request+0x15d/0x440 blk_mq_submit_bio+0x8a4/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __blkdev_direct_IO_async+0x2dd/0x330 blkdev_write_iter+0x39a/0x450 io_write+0x22a/0x840 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Freed by task 808589: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x126/0x1b0 kmem_cache_free+0x10c/0x750 bfq_put_queue+0x2dd/0x770 __bfq_insert_request.isra.0+0x155/0x7a0 bfq_insert_request.isra.0+0x122/0x480 bfq_insert_requests+0x156/0x180 blk_mq_dispatch_plug_list+0x528/0x7e0 blk_mq_flush_plug_list.part.0+0xe5/0x590 __blk_flush_plug+0x3b/0x90 blk_finish_plug+0x40/0x60 do_writepages+0x19d/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Fix the problem by protecting bic_to_bfqq() with bfqd->lock.
AI Analysis
Technical Summary
CVE-2024-53166 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's block layer, specifically within the BFQ (Budget Fair Queueing) I/O scheduler implementation. The flaw arises in the function bfq_limit_depth(), which dereferences a bfqq (BFQ queue) pointer from the bic (block I/O context) without holding the required bfqd->lock mutex. Although other operations such as setting a new bfqq to bic or removing a freed bfqq from bic are protected by this lock, the lack of locking in bfq_limit_depth() allows concurrent tasks sharing the same io_context to access freed memory. This results in a use-after-free condition, which can be triggered by workloads using io_uring, a modern asynchronous I/O interface in Linux. The kernel's KASAN (Kernel Address Sanitizer) detected this vulnerability during testing, showing a slab-use-after-free in bfqq_group(). The vulnerability can lead to arbitrary code execution, kernel crashes, or privilege escalation due to the corruption of kernel memory structures. The root cause is a concurrency control bug where the bfqq pointer is accessed without proper synchronization, allowing a race condition between allocation and freeing of bfqq structures. The fix involves protecting the bic_to_bfqq() function with the bfqd->lock mutex to ensure safe concurrent access. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using the BFQ scheduler and io_uring interface. The CVSS v3.1 score is 7.8 (High), reflecting the local attack vector requiring low privileges but no user interaction, with high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses significant risks especially for servers and infrastructure running Linux kernels with the BFQ I/O scheduler enabled and utilizing io_uring for asynchronous I/O operations. Potential impacts include unauthorized escalation of privileges, allowing attackers with local access to execute arbitrary code in kernel context, leading to full system compromise. This can disrupt critical services, cause data breaches, and impact availability of essential systems. Given the widespread use of Linux in European data centers, cloud environments, and embedded devices, exploitation could affect sectors such as finance, healthcare, telecommunications, and government. The vulnerability's exploitation does not require user interaction but does require local access or compromised user accounts, which could be leveraged in multi-tenant environments or through chained attacks. The high integrity and availability impact means that successful exploitation could lead to data corruption, service outages, or persistent backdoors. Organizations relying on Linux kernel versions prior to the fix are at risk until patches are applied.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-53166 is critical. Monitor kernel updates from trusted sources and deploy them promptly. 2. If patching is not immediately feasible, consider disabling the BFQ I/O scheduler or switching to alternative schedulers (e.g., CFQ, MQ-Deadline) where possible to reduce exposure. 3. Limit local access to systems by enforcing strict access controls, using multi-factor authentication, and monitoring for suspicious local activity. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts, including unexpected use-after-free or memory corruption errors. 6. In containerized or virtualized environments, isolate workloads to minimize the risk of privilege escalation from compromised containers or VMs. 7. Educate system administrators about the risks of io_uring and BFQ scheduler usage, and encourage cautious deployment until patches are applied. 8. Implement comprehensive endpoint detection and response (EDR) solutions capable of detecting anomalous kernel-level behavior.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-53166: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix bfqq uaf in bfq_limit_depth() Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50 Call Trace: <TASK> dump_stack_lvl+0x47/0x80 print_address_description.constprop.0+0x66/0x300 print_report+0x3e/0x70 kasan_report+0xb4/0xf0 bfqq_group+0x15/0x50 bfqq_request_over_limit+0x130/0x9a0 bfq_limit_depth+0x1b5/0x480 __blk_mq_alloc_requests+0x2b5/0xa00 blk_mq_get_new_requests+0x11d/0x1d0 blk_mq_submit_bio+0x286/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __block_write_full_folio+0x3d0/0x640 writepage_cb+0x3b/0xc0 write_cache_pages+0x254/0x6c0 write_cache_pages+0x254/0x6c0 do_writepages+0x192/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 808602: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x83/0x90 kmem_cache_alloc_node+0x1b1/0x6d0 bfq_get_queue+0x138/0xfa0 bfq_get_bfqq_handle_split+0xe3/0x2c0 bfq_init_rq+0x196/0xbb0 bfq_insert_request.isra.0+0xb5/0x480 bfq_insert_requests+0x156/0x180 blk_mq_insert_request+0x15d/0x440 blk_mq_submit_bio+0x8a4/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __blkdev_direct_IO_async+0x2dd/0x330 blkdev_write_iter+0x39a/0x450 io_write+0x22a/0x840 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Freed by task 808589: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x126/0x1b0 kmem_cache_free+0x10c/0x750 bfq_put_queue+0x2dd/0x770 __bfq_insert_request.isra.0+0x155/0x7a0 bfq_insert_request.isra.0+0x122/0x480 bfq_insert_requests+0x156/0x180 blk_mq_dispatch_plug_list+0x528/0x7e0 blk_mq_flush_plug_list.part.0+0xe5/0x590 __blk_flush_plug+0x3b/0x90 blk_finish_plug+0x40/0x60 do_writepages+0x19d/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Fix the problem by protecting bic_to_bfqq() with bfqd->lock.
AI-Powered Analysis
Technical Analysis
CVE-2024-53166 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's block layer, specifically within the BFQ (Budget Fair Queueing) I/O scheduler implementation. The flaw arises in the function bfq_limit_depth(), which dereferences a bfqq (BFQ queue) pointer from the bic (block I/O context) without holding the required bfqd->lock mutex. Although other operations such as setting a new bfqq to bic or removing a freed bfqq from bic are protected by this lock, the lack of locking in bfq_limit_depth() allows concurrent tasks sharing the same io_context to access freed memory. This results in a use-after-free condition, which can be triggered by workloads using io_uring, a modern asynchronous I/O interface in Linux. The kernel's KASAN (Kernel Address Sanitizer) detected this vulnerability during testing, showing a slab-use-after-free in bfqq_group(). The vulnerability can lead to arbitrary code execution, kernel crashes, or privilege escalation due to the corruption of kernel memory structures. The root cause is a concurrency control bug where the bfqq pointer is accessed without proper synchronization, allowing a race condition between allocation and freeing of bfqq structures. The fix involves protecting the bic_to_bfqq() function with the bfqd->lock mutex to ensure safe concurrent access. This vulnerability affects Linux kernel versions prior to the patch and is particularly relevant for systems using the BFQ scheduler and io_uring interface. The CVSS v3.1 score is 7.8 (High), reflecting the local attack vector requiring low privileges but no user interaction, with high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations, this vulnerability poses significant risks especially for servers and infrastructure running Linux kernels with the BFQ I/O scheduler enabled and utilizing io_uring for asynchronous I/O operations. Potential impacts include unauthorized escalation of privileges, allowing attackers with local access to execute arbitrary code in kernel context, leading to full system compromise. This can disrupt critical services, cause data breaches, and impact availability of essential systems. Given the widespread use of Linux in European data centers, cloud environments, and embedded devices, exploitation could affect sectors such as finance, healthcare, telecommunications, and government. The vulnerability's exploitation does not require user interaction but does require local access or compromised user accounts, which could be leveraged in multi-tenant environments or through chained attacks. The high integrity and availability impact means that successful exploitation could lead to data corruption, service outages, or persistent backdoors. Organizations relying on Linux kernel versions prior to the fix are at risk until patches are applied.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address CVE-2024-53166 is critical. Monitor kernel updates from trusted sources and deploy them promptly. 2. If patching is not immediately feasible, consider disabling the BFQ I/O scheduler or switching to alternative schedulers (e.g., CFQ, MQ-Deadline) where possible to reduce exposure. 3. Limit local access to systems by enforcing strict access controls, using multi-factor authentication, and monitoring for suspicious local activity. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 5. Monitor system logs and kernel crash reports for signs of exploitation attempts, including unexpected use-after-free or memory corruption errors. 6. In containerized or virtualized environments, isolate workloads to minimize the risk of privilege escalation from compromised containers or VMs. 7. Educate system administrators about the risks of io_uring and BFQ scheduler usage, and encourage cautious deployment until patches are applied. 8. Implement comprehensive endpoint detection and response (EDR) solutions capable of detecting anomalous kernel-level behavior.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.005Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdede2
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:41:59 PM
Last updated: 7/29/2025, 9:42:49 PM
Views: 14
Related Threats
CVE-2025-9002: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9001: Stack-based Buffer Overflow in LemonOS
MediumCVE-2025-8867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iqonicdesign Graphina – Elementor Charts and Graphs
MediumCVE-2025-8680: CWE-918 Server-Side Request Forgery (SSRF) in bplugins B Slider- Gutenberg Slider Block for WP
MediumCVE-2025-8676: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bplugins B Slider- Gutenberg Slider Block for WP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.