CVE-2024-57895: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ksmbd: set ATTR_CTIME flags when setting mtime David reported that the new warning from setattr_copy_mgtime is coming like the following. [ 113.215316] ------------[ cut here ]------------ [ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200 [ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234 [ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200 [ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0 [ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202 [ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003 [ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0 [ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa [ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38 [ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000 [ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000 [ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0 [ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 113.234797] Call Trace: [ 113.235116] <TASK> [ 113.235393] ? __warn+0x73/0xd0 [ 113.235802] ? setattr_copy+0x1ee/0x200 [ 113.236299] ? report_bug+0xf3/0x1e0 [ 113.236757] ? handle_bug+0x4d/0x90 [ 113.237202] ? exc_invalid_op+0x13/0x60 [ 113.237689] ? asm_exc_invalid_op+0x16/0x20 [ 113.238185] ? setattr_copy+0x1ee/0x200 [ 113.238692] btrfs_setattr+0x80/0x820 [btrfs] [ 113.239285] ? get_stack_info_noinstr+0x12/0xf0 [ 113.239857] ? __module_address+0x22/0xa0 [ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd] [ 113.240993] ? __module_text_address+0x9/0x50 [ 113.241545] ? __module_address+0x22/0xa0 [ 113.242033] ? unwind_next_frame+0x10e/0x920 [ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 113.243268] notify_change+0x2c2/0x4e0 [ 113.243746] ? stack_depot_save_flags+0x27/0x730 [ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd] [ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd] [ 113.245613] ? process_scheduled_works+0xbe/0x310 [ 113.246181] ? worker_thread+0x100/0x240 [ 113.246696] ? kthread+0xc8/0x100 [ 113.247126] ? ret_from_fork+0x2b/0x40 [ 113.247606] ? ret_from_fork_asm+0x1a/0x30 [ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd] ksmbd is trying to set the atime and mtime via notify_change without also setting the ctime. so This patch add ATTR_CTIME flags when setting mtime to avoid a warning.
AI Analysis
Technical Summary
CVE-2024-57895 addresses a vulnerability in the Linux kernel related to the ksmbd (Kernel SMB Daemon) component, which handles SMB protocol operations within the kernel space. The issue arises when ksmbd attempts to set file timestamps, specifically the access time (atime) and modification time (mtime), via the notify_change function without simultaneously setting the change time (ctime) attribute. This omission triggers a kernel warning from the setattr_copy_mgtime function, indicating inconsistent attribute updates. The warning is logged as a kernel BUG_WARNING, which can be seen in the provided kernel trace logs. The root cause is that ksmbd was not setting the ATTR_CTIME flag when updating mtime, violating expected kernel semantics for file attribute changes. The patch for this vulnerability adds the ATTR_CTIME flag when setting mtime, ensuring that the ctime is updated accordingly and preventing the warning. While this vulnerability does not appear to be exploitable for privilege escalation or remote code execution, the kernel warning could lead to system instability or denial of service if the warning triggers kernel panic or excessive logging. The vulnerability affects Linux kernel versions around 6.13.0-rc1 and likely other versions using the ksmbd module. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-57895 is primarily related to system stability and reliability rather than direct compromise of confidentiality or integrity. Organizations running Linux servers with the ksmbd module enabled—commonly used for SMB file sharing—may experience kernel warnings that could degrade system performance or lead to denial of service if the warnings escalate to kernel panics. This is particularly relevant for enterprises relying on Linux-based file servers or NAS devices that use ksmbd for SMB protocol support. Although no direct exploitation for data breach or privilege escalation is known, the vulnerability could disrupt critical file sharing services, impacting business continuity. Given the widespread use of Linux in European data centers, cloud environments, and enterprise infrastructure, unpatched systems might face operational risks. However, the absence of known exploits and the nature of the issue as a kernel warning lowers the immediate threat level. Still, organizations should prioritize patching to maintain kernel stability and avoid potential service disruptions.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address this vulnerability as soon as they become available. Specifically, updating to a kernel version that includes the fix for CVE-2024-57895 or applying backported patches in enterprise Linux distributions is recommended. System administrators should audit Linux servers running ksmbd, especially those providing SMB file sharing services, to identify vulnerable kernel versions. Monitoring kernel logs for warnings related to setattr_copy and ksmbd can help detect unpatched systems. Additionally, organizations should consider temporarily disabling ksmbd if SMB services are not critical or can be migrated to user-space SMB implementations until patches are applied. Testing patches in staging environments is advised to ensure compatibility and stability. Finally, maintaining robust kernel update policies and integrating kernel patching into regular maintenance cycles will mitigate risks from this and similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-57895: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: set ATTR_CTIME flags when setting mtime David reported that the new warning from setattr_copy_mgtime is coming like the following. [ 113.215316] ------------[ cut here ]------------ [ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200 [ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234 [ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 [ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200 [ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0 [ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202 [ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003 [ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0 [ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa [ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38 [ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000 [ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000 [ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0 [ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 113.234797] Call Trace: [ 113.235116] <TASK> [ 113.235393] ? __warn+0x73/0xd0 [ 113.235802] ? setattr_copy+0x1ee/0x200 [ 113.236299] ? report_bug+0xf3/0x1e0 [ 113.236757] ? handle_bug+0x4d/0x90 [ 113.237202] ? exc_invalid_op+0x13/0x60 [ 113.237689] ? asm_exc_invalid_op+0x16/0x20 [ 113.238185] ? setattr_copy+0x1ee/0x200 [ 113.238692] btrfs_setattr+0x80/0x820 [btrfs] [ 113.239285] ? get_stack_info_noinstr+0x12/0xf0 [ 113.239857] ? __module_address+0x22/0xa0 [ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd] [ 113.240993] ? __module_text_address+0x9/0x50 [ 113.241545] ? __module_address+0x22/0xa0 [ 113.242033] ? unwind_next_frame+0x10e/0x920 [ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 113.243268] notify_change+0x2c2/0x4e0 [ 113.243746] ? stack_depot_save_flags+0x27/0x730 [ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd] [ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd] [ 113.245613] ? process_scheduled_works+0xbe/0x310 [ 113.246181] ? worker_thread+0x100/0x240 [ 113.246696] ? kthread+0xc8/0x100 [ 113.247126] ? ret_from_fork+0x2b/0x40 [ 113.247606] ? ret_from_fork_asm+0x1a/0x30 [ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd] ksmbd is trying to set the atime and mtime via notify_change without also setting the ctime. so This patch add ATTR_CTIME flags when setting mtime to avoid a warning.
AI-Powered Analysis
Technical Analysis
CVE-2024-57895 addresses a vulnerability in the Linux kernel related to the ksmbd (Kernel SMB Daemon) component, which handles SMB protocol operations within the kernel space. The issue arises when ksmbd attempts to set file timestamps, specifically the access time (atime) and modification time (mtime), via the notify_change function without simultaneously setting the change time (ctime) attribute. This omission triggers a kernel warning from the setattr_copy_mgtime function, indicating inconsistent attribute updates. The warning is logged as a kernel BUG_WARNING, which can be seen in the provided kernel trace logs. The root cause is that ksmbd was not setting the ATTR_CTIME flag when updating mtime, violating expected kernel semantics for file attribute changes. The patch for this vulnerability adds the ATTR_CTIME flag when setting mtime, ensuring that the ctime is updated accordingly and preventing the warning. While this vulnerability does not appear to be exploitable for privilege escalation or remote code execution, the kernel warning could lead to system instability or denial of service if the warning triggers kernel panic or excessive logging. The vulnerability affects Linux kernel versions around 6.13.0-rc1 and likely other versions using the ksmbd module. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-57895 is primarily related to system stability and reliability rather than direct compromise of confidentiality or integrity. Organizations running Linux servers with the ksmbd module enabled—commonly used for SMB file sharing—may experience kernel warnings that could degrade system performance or lead to denial of service if the warnings escalate to kernel panics. This is particularly relevant for enterprises relying on Linux-based file servers or NAS devices that use ksmbd for SMB protocol support. Although no direct exploitation for data breach or privilege escalation is known, the vulnerability could disrupt critical file sharing services, impacting business continuity. Given the widespread use of Linux in European data centers, cloud environments, and enterprise infrastructure, unpatched systems might face operational risks. However, the absence of known exploits and the nature of the issue as a kernel warning lowers the immediate threat level. Still, organizations should prioritize patching to maintain kernel stability and avoid potential service disruptions.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address this vulnerability as soon as they become available. Specifically, updating to a kernel version that includes the fix for CVE-2024-57895 or applying backported patches in enterprise Linux distributions is recommended. System administrators should audit Linux servers running ksmbd, especially those providing SMB file sharing services, to identify vulnerable kernel versions. Monitoring kernel logs for warnings related to setattr_copy and ksmbd can help detect unpatched systems. Additionally, organizations should consider temporarily disabling ksmbd if SMB services are not critical or can be migrated to user-space SMB implementations until patches are applied. Testing patches in staging environments is advised to ensure compatibility and stability. Finally, maintaining robust kernel update policies and integrating kernel patching into regular maintenance cycles will mitigate risks from this and similar vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:45:42.029Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde9c8
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 8:41:32 AM
Last updated: 8/14/2025, 6:48:34 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.