CVE-2024-56582: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free in btrfs_encoded_read_endio() Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and ---truncated---
AI Analysis
Technical Summary
CVE-2024-56582 is a high-severity use-after-free vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically within the function btrfs_encoded_read_endio(). The vulnerability arises due to improper memory management where a freed memory region is accessed afterward, leading to a use-after-free condition. This bug was detected during continuous integration testing involving Btrfs filesystem tests (fstests) on a TCMU runner device. The kernel's Kernel Address Sanitizer (KASAN) detected a slab-use-after-free error in the lock_release function, triggered during Btrfs end I/O processing. The detailed kernel stack trace shows that the freed memory object, allocated from the kmalloc-rnd-07-96 cache, is accessed after being freed, which can cause undefined behavior including memory corruption, kernel crashes, or escalation of privileges. The vulnerability is classified under CWE-416 (Use After Free) and affects Linux kernel versions identified by the commit hashes provided. The CVSS v3.1 score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, but the vulnerability's nature and impact make it a critical concern for systems using Btrfs on affected Linux kernels. Since Btrfs is a widely used copy-on-write filesystem in Linux environments, especially in enterprise and cloud settings, this vulnerability poses a significant risk if exploited.
Potential Impact
For European organizations, the impact of CVE-2024-56582 can be substantial, particularly those relying on Linux servers with Btrfs filesystems for critical infrastructure, cloud services, or data storage. Exploitation could lead to kernel crashes causing denial of service, data corruption or loss, and potential privilege escalation allowing attackers to gain root access. This could compromise sensitive data confidentiality and integrity, disrupt business operations, and lead to regulatory non-compliance under GDPR due to data breaches or service outages. Organizations running virtualized environments, container platforms, or cloud services on Linux with Btrfs are at higher risk. The local attack vector means that attackers need some level of access to the system, which could be achieved through compromised user accounts or insider threats. The absence of user interaction requirement facilitates automated exploitation once local access is obtained. The high impact on availability and integrity is critical for sectors like finance, healthcare, government, and critical infrastructure prevalent in Europe, where Linux adoption is significant.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from trusted sources or Linux distributions. Since no official patch links are provided in the data, monitoring vendor advisories (e.g., from Canonical, Red Hat, SUSE) and applying kernel updates promptly is essential. In the interim, organizations should restrict local access to trusted users only, enforce strict privilege separation, and monitor for unusual kernel crashes or suspicious activity indicative of exploitation attempts. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Additionally, auditing Btrfs usage and considering temporary migration to alternative stable filesystems (e.g., ext4, XFS) for critical workloads may reduce exposure. Implementing robust logging and alerting for kernel errors and anomalous behavior will aid in early detection. Finally, ensure that all Linux systems follow the principle of least privilege and that user accounts are regularly reviewed to minimize the risk of local exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-56582: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free in btrfs_encoded_read_endio() Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-56582 is a high-severity use-after-free vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically within the function btrfs_encoded_read_endio(). The vulnerability arises due to improper memory management where a freed memory region is accessed afterward, leading to a use-after-free condition. This bug was detected during continuous integration testing involving Btrfs filesystem tests (fstests) on a TCMU runner device. The kernel's Kernel Address Sanitizer (KASAN) detected a slab-use-after-free error in the lock_release function, triggered during Btrfs end I/O processing. The detailed kernel stack trace shows that the freed memory object, allocated from the kmalloc-rnd-07-96 cache, is accessed after being freed, which can cause undefined behavior including memory corruption, kernel crashes, or escalation of privileges. The vulnerability is classified under CWE-416 (Use After Free) and affects Linux kernel versions identified by the commit hashes provided. The CVSS v3.1 score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, but the vulnerability's nature and impact make it a critical concern for systems using Btrfs on affected Linux kernels. Since Btrfs is a widely used copy-on-write filesystem in Linux environments, especially in enterprise and cloud settings, this vulnerability poses a significant risk if exploited.
Potential Impact
For European organizations, the impact of CVE-2024-56582 can be substantial, particularly those relying on Linux servers with Btrfs filesystems for critical infrastructure, cloud services, or data storage. Exploitation could lead to kernel crashes causing denial of service, data corruption or loss, and potential privilege escalation allowing attackers to gain root access. This could compromise sensitive data confidentiality and integrity, disrupt business operations, and lead to regulatory non-compliance under GDPR due to data breaches or service outages. Organizations running virtualized environments, container platforms, or cloud services on Linux with Btrfs are at higher risk. The local attack vector means that attackers need some level of access to the system, which could be achieved through compromised user accounts or insider threats. The absence of user interaction requirement facilitates automated exploitation once local access is obtained. The high impact on availability and integrity is critical for sectors like finance, healthcare, government, and critical infrastructure prevalent in Europe, where Linux adoption is significant.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as updates become available from trusted sources or Linux distributions. Since no official patch links are provided in the data, monitoring vendor advisories (e.g., from Canonical, Red Hat, SUSE) and applying kernel updates promptly is essential. In the interim, organizations should restrict local access to trusted users only, enforce strict privilege separation, and monitor for unusual kernel crashes or suspicious activity indicative of exploitation attempts. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Additionally, auditing Btrfs usage and considering temporary migration to alternative stable filesystems (e.g., ext4, XFS) for critical workloads may reduce exposure. Implementing robust logging and alerting for kernel errors and anomalous behavior will aid in early detection. Finally, ensure that all Linux systems follow the principle of least privilege and that user accounts are regularly reviewed to minimize the risk of local exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T14:03:06.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdf2fe
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 11:14:15 PM
Last updated: 8/21/2025, 2:35:12 PM
Views: 18
Related Threats
CVE-2025-9310: Hard-coded Credentials in yeqifu carRental
MediumCVE-2025-9309: Hard-coded Credentials in Tenda AC10
LowCVE-2025-57761: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-43755: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-57755: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in musistudio claude-code-router
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.