CVE-2024-53178: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: Don't leak cfid when reconnect races with open_cached_dir open_cached_dir() may either race with the tcon reconnection even before compound_send_recv() or directly trigger a reconnection via SMB2_open_init() or SMB_query_info_init(). The reconnection process invokes invalidate_all_cached_dirs() via cifs_mark_open_files_invalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if has_lease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from open_cached_dir(). Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time. Addresses these kmemleaks: unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350 [<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480 [<ffffffff8b7d7256>] kstrdup+0x36/0x60 [<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e And addresses these BUG splats when unmounting the SMB filesystem: BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umount_check+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: <TASK> d_walk+0x6a/0x530 shrink_dcache_for_umount+0x6a/0x200 generic_shutdown_super+0x52/0x2a0 kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 ---truncated---
AI Analysis
Technical Summary
CVE-2024-53178 is a vulnerability identified in the Linux kernel's SMB (Server Message Block) client implementation, specifically related to the handling of cached directory entries during reconnection races. The flaw arises in the function open_cached_dir(), which may race with the tcon (tree connection) reconnection process either before compound_send_recv() or by directly triggering a reconnection via SMB2_open_init() or SMB_query_info_init(). During reconnection, the kernel invokes invalidate_all_cached_dirs() through cifs_mark_open_files_invalid(), which removes all cached file identifiers (cfids) from the cfids->entries list but fails to properly drop a reference count if the cfid does not have a lease (has_lease flag). This results in a reference count leak where the cfid is not listed but still holds a refcount of 2, causing a memory leak when returned from open_cached_dir(). The fix involves setting the cfid->has_lease flag at the time the reference is taken, ensuring the cfid is not accessed by other threads until it is valid. This vulnerability also addresses kernel memory leaks (kmemleaks) and prevents BUG splats (kernel crashes) during unmounting of SMB filesystems, which were caused by stale dentry references. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using CIFS/SMB mounts, commonly used for network file sharing. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily impacts systems running Linux kernels that mount SMB/CIFS network shares, which are prevalent in enterprise environments for file sharing and collaboration. The memory leak and reference count mismanagement could lead to resource exhaustion over time, potentially degrading system performance or causing kernel instability and crashes during SMB filesystem operations, including unmounting. While the vulnerability does not directly enable remote code execution or privilege escalation, the resulting denial of service (DoS) conditions could disrupt critical file services, impacting business continuity. Organizations relying on Linux-based file servers, virtualized environments, or cloud infrastructure with SMB mounts are at risk. Given the widespread use of Linux in European data centers, cloud providers, and enterprise IT infrastructure, the vulnerability could affect a broad range of sectors including finance, manufacturing, public administration, and telecommunications. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future attacks or accidental system failures.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to the latest patched versions that address CVE-2024-53178. Specifically, they should: 1) Identify all systems using SMB/CIFS mounts and verify kernel versions against the patched releases. 2) Apply vendor-provided kernel updates promptly, especially on critical servers and infrastructure handling SMB traffic. 3) Monitor kernel logs for signs of memory leaks or BUG splats related to CIFS operations to detect potential exploitation or instability. 4) Implement proactive resource monitoring to detect abnormal memory usage or system crashes that could indicate exploitation attempts. 5) Where possible, limit SMB usage to trusted networks and consider alternative secure file sharing protocols if SMB is not essential. 6) Employ configuration management and automated patch deployment tools to ensure consistent and timely remediation across all Linux systems. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels. These steps go beyond generic advice by focusing on SMB-specific kernel usage, monitoring for leak symptoms, and emphasizing patch management in Linux environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-53178: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: Don't leak cfid when reconnect races with open_cached_dir open_cached_dir() may either race with the tcon reconnection even before compound_send_recv() or directly trigger a reconnection via SMB2_open_init() or SMB_query_info_init(). The reconnection process invokes invalidate_all_cached_dirs() via cifs_mark_open_files_invalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if has_lease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from open_cached_dir(). Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time. Addresses these kmemleaks: unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350 [<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480 [<ffffffff8b7d7256>] kstrdup+0x36/0x60 [<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e And addresses these BUG splats when unmounting the SMB filesystem: BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umount_check+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: <TASK> d_walk+0x6a/0x530 shrink_dcache_for_umount+0x6a/0x200 generic_shutdown_super+0x52/0x2a0 kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53178 is a vulnerability identified in the Linux kernel's SMB (Server Message Block) client implementation, specifically related to the handling of cached directory entries during reconnection races. The flaw arises in the function open_cached_dir(), which may race with the tcon (tree connection) reconnection process either before compound_send_recv() or by directly triggering a reconnection via SMB2_open_init() or SMB_query_info_init(). During reconnection, the kernel invokes invalidate_all_cached_dirs() through cifs_mark_open_files_invalid(), which removes all cached file identifiers (cfids) from the cfids->entries list but fails to properly drop a reference count if the cfid does not have a lease (has_lease flag). This results in a reference count leak where the cfid is not listed but still holds a refcount of 2, causing a memory leak when returned from open_cached_dir(). The fix involves setting the cfid->has_lease flag at the time the reference is taken, ensuring the cfid is not accessed by other threads until it is valid. This vulnerability also addresses kernel memory leaks (kmemleaks) and prevents BUG splats (kernel crashes) during unmounting of SMB filesystems, which were caused by stale dentry references. The vulnerability affects Linux kernel versions prior to the patch and is relevant to systems using CIFS/SMB mounts, commonly used for network file sharing. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily impacts systems running Linux kernels that mount SMB/CIFS network shares, which are prevalent in enterprise environments for file sharing and collaboration. The memory leak and reference count mismanagement could lead to resource exhaustion over time, potentially degrading system performance or causing kernel instability and crashes during SMB filesystem operations, including unmounting. While the vulnerability does not directly enable remote code execution or privilege escalation, the resulting denial of service (DoS) conditions could disrupt critical file services, impacting business continuity. Organizations relying on Linux-based file servers, virtualized environments, or cloud infrastructure with SMB mounts are at risk. Given the widespread use of Linux in European data centers, cloud providers, and enterprise IT infrastructure, the vulnerability could affect a broad range of sectors including finance, manufacturing, public administration, and telecommunications. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future attacks or accidental system failures.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to the latest patched versions that address CVE-2024-53178. Specifically, they should: 1) Identify all systems using SMB/CIFS mounts and verify kernel versions against the patched releases. 2) Apply vendor-provided kernel updates promptly, especially on critical servers and infrastructure handling SMB traffic. 3) Monitor kernel logs for signs of memory leaks or BUG splats related to CIFS operations to detect potential exploitation or instability. 4) Implement proactive resource monitoring to detect abnormal memory usage or system crashes that could indicate exploitation attempts. 5) Where possible, limit SMB usage to trusted networks and consider alternative secure file sharing protocols if SMB is not essential. 6) Employ configuration management and automated patch deployment tools to ensure consistent and timely remediation across all Linux systems. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels. These steps go beyond generic advice by focusing on SMB-specific kernel usage, monitoring for leak symptoms, and emphasizing patch management in Linux environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.008Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdee5c
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 10:26:41 AM
Last updated: 8/14/2025, 4:47:40 PM
Views: 16
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.