CVE-2024-53216: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period.
AI Analysis
Technical Summary
CVE-2024-53216 is a high-severity vulnerability in the Linux kernel's NFS daemon (nfsd) subsystem, specifically related to the handling of svc_export and svc_expkey objects used in NFS server exports. The vulnerability arises from improper memory management and synchronization when releasing these objects. The root cause is that the last reference to the cache_head structure can be reduced to zero within the c_show and e_show functions, which use RCU (Read-Copy-Update) read locks. This triggers calls to svc_export_put and expkey_put, which free the ex_uuid memory prematurely. However, subsequent code paths in c_show and e_show still access ex_uuid, causing a use-after-free condition. This is confirmed by Kernel Address Sanitizer (KASAN) reports showing slab-use-after-free errors during procfs reads related to NFS exports. Additionally, the code violates RCU usage rules by sleeping while holding an RCU read lock. Specifically, svc_export_put and expkey_put call path_put, which leads to dput and a sleeping operation, which is unsafe under RCU read lock. The fix involves deferring the freeing of svc_expkey and svc_export objects using rcu_work, which schedules the release asynchronously after an RCU grace period, ensuring safe memory reclamation without sleeping in RCU read-side critical sections. This vulnerability is identified as CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity. It requires local privileges (PR:L) but no user interaction (UI:N) and affects confidentiality, integrity, and availability (C:H/I:H/A:H) of the affected systems. Exploitation could allow a local attacker with limited privileges to cause kernel crashes (denial of service) or potentially escalate privileges by exploiting the use-after-free condition in the NFS server kernel module. No known exploits are reported in the wild yet. The affected versions include recent Linux kernel commits prior to the patch, notably kernel version 6.12.0-rc3+ and others in active development branches. The vulnerability impacts Linux systems running NFS server functionality, which is common in enterprise and cloud environments.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based NFS servers for file sharing and storage services. Exploitation could lead to denial of service by crashing the kernel or potentially privilege escalation, allowing attackers to gain unauthorized root access. This could compromise sensitive data confidentiality and integrity, disrupt critical business operations, and impact availability of shared resources. Organizations in sectors such as finance, healthcare, government, and manufacturing that use Linux NFS servers for internal or external file sharing are particularly at risk. The vulnerability requires local access, so insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges or disrupt services. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the impact could be broad if not mitigated promptly. Additionally, the complexity of the bug involving kernel memory management and RCU synchronization means that exploitation could lead to unpredictable system behavior, increasing operational risk.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that implement the fix using rcu_work to safely release svc_expkey and svc_export objects. Monitor kernel mailing lists and vendor advisories for updated kernel versions addressing CVE-2024-53216. 2. Limit local access: Restrict local user privileges and access to systems running NFS server functionality to trusted personnel only. Use strong authentication and access controls to reduce risk of local exploitation. 3. Disable NFS server if not needed: If NFS server functionality is not required, disable the nfsd service to eliminate the attack surface. 4. Monitor kernel logs: Enable and monitor kernel logs for KASAN or other memory corruption warnings that might indicate exploitation attempts. 5. Use security modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to confine nfsd processes and limit their capabilities, reducing potential damage from exploitation. 6. Network segmentation: Isolate NFS servers in secure network segments with strict firewall rules to limit exposure. 7. Incident response readiness: Prepare for potential exploitation by having incident response plans and backups in place to recover from denial of service or compromise scenarios.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-53216: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period.
AI-Powered Analysis
Technical Analysis
CVE-2024-53216 is a high-severity vulnerability in the Linux kernel's NFS daemon (nfsd) subsystem, specifically related to the handling of svc_export and svc_expkey objects used in NFS server exports. The vulnerability arises from improper memory management and synchronization when releasing these objects. The root cause is that the last reference to the cache_head structure can be reduced to zero within the c_show and e_show functions, which use RCU (Read-Copy-Update) read locks. This triggers calls to svc_export_put and expkey_put, which free the ex_uuid memory prematurely. However, subsequent code paths in c_show and e_show still access ex_uuid, causing a use-after-free condition. This is confirmed by Kernel Address Sanitizer (KASAN) reports showing slab-use-after-free errors during procfs reads related to NFS exports. Additionally, the code violates RCU usage rules by sleeping while holding an RCU read lock. Specifically, svc_export_put and expkey_put call path_put, which leads to dput and a sleeping operation, which is unsafe under RCU read lock. The fix involves deferring the freeing of svc_expkey and svc_export objects using rcu_work, which schedules the release asynchronously after an RCU grace period, ensuring safe memory reclamation without sleeping in RCU read-side critical sections. This vulnerability is identified as CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity. It requires local privileges (PR:L) but no user interaction (UI:N) and affects confidentiality, integrity, and availability (C:H/I:H/A:H) of the affected systems. Exploitation could allow a local attacker with limited privileges to cause kernel crashes (denial of service) or potentially escalate privileges by exploiting the use-after-free condition in the NFS server kernel module. No known exploits are reported in the wild yet. The affected versions include recent Linux kernel commits prior to the patch, notably kernel version 6.12.0-rc3+ and others in active development branches. The vulnerability impacts Linux systems running NFS server functionality, which is common in enterprise and cloud environments.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for those relying on Linux-based NFS servers for file sharing and storage services. Exploitation could lead to denial of service by crashing the kernel or potentially privilege escalation, allowing attackers to gain unauthorized root access. This could compromise sensitive data confidentiality and integrity, disrupt critical business operations, and impact availability of shared resources. Organizations in sectors such as finance, healthcare, government, and manufacturing that use Linux NFS servers for internal or external file sharing are particularly at risk. The vulnerability requires local access, so insider threats or attackers who have gained limited access could leverage this flaw to escalate privileges or disrupt services. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the impact could be broad if not mitigated promptly. Additionally, the complexity of the bug involving kernel memory management and RCU synchronization means that exploitation could lead to unpredictable system behavior, increasing operational risk.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that implement the fix using rcu_work to safely release svc_expkey and svc_export objects. Monitor kernel mailing lists and vendor advisories for updated kernel versions addressing CVE-2024-53216. 2. Limit local access: Restrict local user privileges and access to systems running NFS server functionality to trusted personnel only. Use strong authentication and access controls to reduce risk of local exploitation. 3. Disable NFS server if not needed: If NFS server functionality is not required, disable the nfsd service to eliminate the attack surface. 4. Monitor kernel logs: Enable and monitor kernel logs for KASAN or other memory corruption warnings that might indicate exploitation attempts. 5. Use security modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to confine nfsd processes and limit their capabilities, reducing potential damage from exploitation. 6. Network segmentation: Isolate NFS servers in secure network segments with strict firewall rules to limit exposure. 7. Incident response readiness: Prepare for potential exploitation by having incident response plans and backups in place to recover from denial of service or compromise scenarios.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.024Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdef79
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 11:09:41 PM
Last updated: 7/25/2025, 10:14:19 AM
Views: 12
Related Threats
CVE-2025-8747: CWE-502 Deserialization of Untrusted Data in Google Keras
HighCVE-2025-8660: Vulnerability in Broadcom Symantec PGP Encryption
MediumCVE-2025-8835: NULL Pointer Dereference in JasPer
MediumCVE-2025-8833: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.