CVE-2024-53177: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000)
AI Analysis
Technical Summary
CVE-2024-53177 is a high-severity use-after-free vulnerability in the Linux kernel's SMB (Server Message Block) client implementation, specifically within the open_cached_dir() function. This function handles directory caching and lease management when interacting with SMB servers. The vulnerability arises when open_cached_dir() encounters an error parsing a lease from the server. In such cases, the error handling path races with a lease break notification, causing the function to prematurely free a cached file identifier (cfid) object while there is still queued work referencing it. This leads to a use-after-free condition, where the kernel attempts to access memory that has already been freed, potentially causing memory corruption, system crashes, or arbitrary code execution in kernel context. The fix involves changing open_cached_dir() to drop references instead of directly freeing the cfid, and ensuring that related functions (cached_dir_lease_break(), cfids_laundromat_worker(), invalidate_all_cached_dirs()) clear lease flags while holding appropriate locks to maintain reference counting integrity. The vulnerability was identified through Kernel Address Sanitizer (KASAN) testing, which detected slab-use-after-free errors during simulated lease break scenarios. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's potential for high confidentiality, integrity, and availability impact, with low attack complexity but requiring local privileges and no user interaction. This vulnerability affects Linux kernel versions prior to the patch and impacts systems using SMB client functionality, which is common in enterprise environments for file sharing and network storage access.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and public sector entities relying on Linux-based systems for SMB file sharing and network storage access. Exploitation could lead to kernel crashes (denial of service), data corruption, or privilege escalation, undermining system integrity and availability. Confidentiality could be compromised if attackers leverage this flaw to execute arbitrary code in kernel space, potentially accessing sensitive data or pivoting within networks. Given the widespread use of Linux servers and desktops in Europe, including critical infrastructure, telecommunications, and financial services, the impact could be severe. Disruptions in file sharing services could affect business continuity, while successful exploitation could facilitate lateral movement by threat actors. The vulnerability's requirement for local privileges limits remote exploitation but does not eliminate risk, as attackers gaining initial access (e.g., via phishing or other means) could escalate privileges or cause system instability. Organizations with hybrid environments integrating Windows and Linux SMB clients are particularly at risk due to SMB protocol usage.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-53177. Since the vulnerability is in the SMB client code, systems that do not use SMB can consider disabling the CIFS/SMB client kernel modules to reduce attack surface. Implement strict access controls and monitoring on systems with SMB client functionality to detect unusual activity or crashes. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to identify similar issues proactively. Limit local user privileges to the minimum necessary to prevent attackers from gaining the local access required to exploit this vulnerability. Network segmentation can help contain potential lateral movement if exploitation occurs. Regularly audit and update SMB client configurations to ensure they follow best practices and avoid unnecessary exposure. Finally, maintain comprehensive backup and recovery procedures to mitigate the impact of potential denial-of-service or data corruption incidents.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-53177: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000)
AI-Powered Analysis
Technical Analysis
CVE-2024-53177 is a high-severity use-after-free vulnerability in the Linux kernel's SMB (Server Message Block) client implementation, specifically within the open_cached_dir() function. This function handles directory caching and lease management when interacting with SMB servers. The vulnerability arises when open_cached_dir() encounters an error parsing a lease from the server. In such cases, the error handling path races with a lease break notification, causing the function to prematurely free a cached file identifier (cfid) object while there is still queued work referencing it. This leads to a use-after-free condition, where the kernel attempts to access memory that has already been freed, potentially causing memory corruption, system crashes, or arbitrary code execution in kernel context. The fix involves changing open_cached_dir() to drop references instead of directly freeing the cfid, and ensuring that related functions (cached_dir_lease_break(), cfids_laundromat_worker(), invalidate_all_cached_dirs()) clear lease flags while holding appropriate locks to maintain reference counting integrity. The vulnerability was identified through Kernel Address Sanitizer (KASAN) testing, which detected slab-use-after-free errors during simulated lease break scenarios. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's potential for high confidentiality, integrity, and availability impact, with low attack complexity but requiring local privileges and no user interaction. This vulnerability affects Linux kernel versions prior to the patch and impacts systems using SMB client functionality, which is common in enterprise environments for file sharing and network storage access.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for enterprises and public sector entities relying on Linux-based systems for SMB file sharing and network storage access. Exploitation could lead to kernel crashes (denial of service), data corruption, or privilege escalation, undermining system integrity and availability. Confidentiality could be compromised if attackers leverage this flaw to execute arbitrary code in kernel space, potentially accessing sensitive data or pivoting within networks. Given the widespread use of Linux servers and desktops in Europe, including critical infrastructure, telecommunications, and financial services, the impact could be severe. Disruptions in file sharing services could affect business continuity, while successful exploitation could facilitate lateral movement by threat actors. The vulnerability's requirement for local privileges limits remote exploitation but does not eliminate risk, as attackers gaining initial access (e.g., via phishing or other means) could escalate privileges or cause system instability. Organizations with hybrid environments integrating Windows and Linux SMB clients are particularly at risk due to SMB protocol usage.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-53177. Since the vulnerability is in the SMB client code, systems that do not use SMB can consider disabling the CIFS/SMB client kernel modules to reduce attack surface. Implement strict access controls and monitoring on systems with SMB client functionality to detect unusual activity or crashes. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to identify similar issues proactively. Limit local user privileges to the minimum necessary to prevent attackers from gaining the local access required to exploit this vulnerability. Network segmentation can help contain potential lateral movement if exploitation occurs. Regularly audit and update SMB client configurations to ensure they follow best practices and avoid unnecessary exposure. Finally, maintain comprehensive backup and recovery procedures to mitigate the impact of potential denial-of-service or data corruption incidents.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.007Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdee54
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:56:05 PM
Last updated: 8/15/2025, 5:21:45 AM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.