CVE-2024-53171: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still point to a freed node. This `znode->cparent` may not be updated when getting nodes to commit in `ubifs_tnc_start_commit()`. This could then trigger a use-after-free when accessing the `znode->cparent` in `write_index()` in `ubifs_tnc_end_commit()`. This can be triggered by running rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then reports: BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153 Call trace: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 do_commit+0x4e0/0x1340 ubifs_bg_thread+0x234/0x2e0 kthread+0x36c/0x410 ret_from_fork+0x10/0x20 Allocated by task 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 write_cache_pages+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c file_write_and_wait_range+0x140/0x190 ubifs_fsync+0xe8/0x290 vfs_fsync_range+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 Freed by task 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 evict+0x1c8/0x450 iput+0x2a0/0x3c4 do_unlinkat+0x2cc/0x490 __arm64_sys_unlinkat+0x90/0x100 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free when a node becomes root in TNC but still has a `cparent` to an already freed node. More specifically, consider the following TNC: zroot / / zp1 / / zn Inserting a new node `zn_new` with a key smaller then `zn` will trigger a split in `tnc_insert()` if `zp1` is full: zroot / \ / \ zp1 zp2 / \ / \ zn_new zn `zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still points to `zp1`. Now, consider a removal of all the nodes _except_ `zn`. Just when `tnc_delete()` is about to delete `zroot` and `zp2`: zroot \ \ zp2 \ \ zn `zroot` and `zp2` get freed and the tree collapses: zn `zn` now becomes the new `zroot`. `get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and `write_index()` will check its `znode->cparent` that wrongly points to the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called with `znode->cparent->zbranch[znode->iip].hash` that triggers the use-after-free! Fix this by explicitly setting `znode->cparent` to `NULL` in `get_znodes_to_commit()` for the root node. The search for the dirty nodes ---truncated---
AI Analysis
Technical Summary
CVE-2024-53171 is a high-severity use-after-free vulnerability in the Linux kernel's UBIFS (UBI File System) authentication code, specifically within the tree node cache (TNC) management during commit operations. UBIFS is a file system designed for flash memory devices, commonly used in embedded systems and some Linux distributions. The vulnerability arises due to improper handling of parent pointers in the TNC tree structure during node insertions and deletions. When a node insertion causes a tree split, the node's parent pointer (`znode->parent`) is updated, but the cached parent pointer (`znode->cparent`) may still reference a freed node if subsequent deletions occur. This stale pointer is not reset properly in the commit phase (`ubifs_tnc_start_commit()`), leading to a use-after-free condition when `write_index()` accesses `znode->cparent`. The flaw can be triggered by repeatedly creating and deleting files with specific commands under the `CONFIG_UBIFS_FS_AUTHENTICATION` kernel configuration. The kernel's KASAN (Kernel Address Sanitizer) detects this as a use-after-free during memory copy operations in `ubifs_copy_hash()`. Exploitation could lead to arbitrary code execution, kernel crashes, or data corruption due to corrupted file system metadata. The patch involves explicitly nullifying the `cparent` pointer for root nodes during commit to prevent referencing freed memory. The vulnerability affects Linux kernel versions containing the specified commit hashes and requires local privileges with write access to UBIFS volumes configured with authentication enabled. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring privileges and no user interaction.
Potential Impact
For European organizations, the impact of CVE-2024-53171 is significant primarily in environments using Linux systems with UBIFS file systems configured with authentication, which are common in embedded devices, IoT gateways, and specialized industrial equipment. Exploitation could allow local attackers or compromised processes to escalate privileges, corrupt file system data, or cause denial of service by crashing the kernel. This could disrupt critical infrastructure, manufacturing systems, or telecommunications equipment relying on embedded Linux. Confidentiality breaches could occur if attackers manipulate file system metadata to access or alter sensitive data. Integrity and availability impacts are also high, risking data loss or system downtime. Organizations in sectors such as manufacturing, automotive, telecommunications, and critical infrastructure in Europe that deploy embedded Linux devices with UBIFS authentication are at elevated risk. The vulnerability does not appear to be exploited in the wild yet, but the high severity and ease of triggering under specific configurations warrant proactive mitigation to prevent potential targeted attacks or accidental system failures.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2024-53171 as soon as they are available and tested in your environment. 2. For embedded and IoT devices, coordinate with vendors to ensure updated firmware or kernel versions are deployed that include the fix. 3. Disable UBIFS authentication (`CONFIG_UBIFS_FS_AUTHENTICATION`) if it is not required, as this reduces the attack surface. 4. Implement strict access controls to limit local user privileges and prevent untrusted users or processes from performing file operations on UBIFS volumes. 5. Monitor kernel logs for KASAN or other memory error reports that may indicate exploitation attempts or system instability related to UBIFS. 6. Conduct regular integrity checks and backups of critical embedded systems to enable recovery from potential data corruption. 7. For development and testing environments, use KASAN or similar memory sanitizers to detect use-after-free and other memory errors early. 8. Harden device configurations by restricting shell or command execution capabilities on embedded devices to reduce the risk of triggering the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland, Poland, Spain, Belgium
CVE-2024-53171: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still point to a freed node. This `znode->cparent` may not be updated when getting nodes to commit in `ubifs_tnc_start_commit()`. This could then trigger a use-after-free when accessing the `znode->cparent` in `write_index()` in `ubifs_tnc_end_commit()`. This can be triggered by running rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then reports: BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153 Call trace: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 do_commit+0x4e0/0x1340 ubifs_bg_thread+0x234/0x2e0 kthread+0x36c/0x410 ret_from_fork+0x10/0x20 Allocated by task 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 write_cache_pages+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c file_write_and_wait_range+0x140/0x190 ubifs_fsync+0xe8/0x290 vfs_fsync_range+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 Freed by task 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 evict+0x1c8/0x450 iput+0x2a0/0x3c4 do_unlinkat+0x2cc/0x490 __arm64_sys_unlinkat+0x90/0x100 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free when a node becomes root in TNC but still has a `cparent` to an already freed node. More specifically, consider the following TNC: zroot / / zp1 / / zn Inserting a new node `zn_new` with a key smaller then `zn` will trigger a split in `tnc_insert()` if `zp1` is full: zroot / \ / \ zp1 zp2 / \ / \ zn_new zn `zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still points to `zp1`. Now, consider a removal of all the nodes _except_ `zn`. Just when `tnc_delete()` is about to delete `zroot` and `zp2`: zroot \ \ zp2 \ \ zn `zroot` and `zp2` get freed and the tree collapses: zn `zn` now becomes the new `zroot`. `get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and `write_index()` will check its `znode->cparent` that wrongly points to the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called with `znode->cparent->zbranch[znode->iip].hash` that triggers the use-after-free! Fix this by explicitly setting `znode->cparent` to `NULL` in `get_znodes_to_commit()` for the root node. The search for the dirty nodes ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53171 is a high-severity use-after-free vulnerability in the Linux kernel's UBIFS (UBI File System) authentication code, specifically within the tree node cache (TNC) management during commit operations. UBIFS is a file system designed for flash memory devices, commonly used in embedded systems and some Linux distributions. The vulnerability arises due to improper handling of parent pointers in the TNC tree structure during node insertions and deletions. When a node insertion causes a tree split, the node's parent pointer (`znode->parent`) is updated, but the cached parent pointer (`znode->cparent`) may still reference a freed node if subsequent deletions occur. This stale pointer is not reset properly in the commit phase (`ubifs_tnc_start_commit()`), leading to a use-after-free condition when `write_index()` accesses `znode->cparent`. The flaw can be triggered by repeatedly creating and deleting files with specific commands under the `CONFIG_UBIFS_FS_AUTHENTICATION` kernel configuration. The kernel's KASAN (Kernel Address Sanitizer) detects this as a use-after-free during memory copy operations in `ubifs_copy_hash()`. Exploitation could lead to arbitrary code execution, kernel crashes, or data corruption due to corrupted file system metadata. The patch involves explicitly nullifying the `cparent` pointer for root nodes during commit to prevent referencing freed memory. The vulnerability affects Linux kernel versions containing the specified commit hashes and requires local privileges with write access to UBIFS volumes configured with authentication enabled. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring privileges and no user interaction.
Potential Impact
For European organizations, the impact of CVE-2024-53171 is significant primarily in environments using Linux systems with UBIFS file systems configured with authentication, which are common in embedded devices, IoT gateways, and specialized industrial equipment. Exploitation could allow local attackers or compromised processes to escalate privileges, corrupt file system data, or cause denial of service by crashing the kernel. This could disrupt critical infrastructure, manufacturing systems, or telecommunications equipment relying on embedded Linux. Confidentiality breaches could occur if attackers manipulate file system metadata to access or alter sensitive data. Integrity and availability impacts are also high, risking data loss or system downtime. Organizations in sectors such as manufacturing, automotive, telecommunications, and critical infrastructure in Europe that deploy embedded Linux devices with UBIFS authentication are at elevated risk. The vulnerability does not appear to be exploited in the wild yet, but the high severity and ease of triggering under specific configurations warrant proactive mitigation to prevent potential targeted attacks or accidental system failures.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2024-53171 as soon as they are available and tested in your environment. 2. For embedded and IoT devices, coordinate with vendors to ensure updated firmware or kernel versions are deployed that include the fix. 3. Disable UBIFS authentication (`CONFIG_UBIFS_FS_AUTHENTICATION`) if it is not required, as this reduces the attack surface. 4. Implement strict access controls to limit local user privileges and prevent untrusted users or processes from performing file operations on UBIFS volumes. 5. Monitor kernel logs for KASAN or other memory error reports that may indicate exploitation attempts or system instability related to UBIFS. 6. Conduct regular integrity checks and backups of critical embedded systems to enable recovery from potential data corruption. 7. For development and testing environments, use KASAN or similar memory sanitizers to detect use-after-free and other memory errors early. 8. Harden device configurations by restricting shell or command execution capabilities on embedded devices to reduce the risk of triggering the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.006Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdee09
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:43:35 PM
Last updated: 8/4/2025, 7:01:06 AM
Views: 15
Related Threats
CVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumCVE-2025-8720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in morehawes Plugin README Parser
MediumCVE-2025-8091: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ashanjay EventON – Events Calendar
MediumCVE-2025-8080: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alobaidi Alobaidi Captcha
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.