7.8
CVE-2024-49889
- EPSS 0.26%
- Veröffentlicht 21.10.2024 18:15:11
- Zuletzt bearbeitet 12.05.2026 12:17:16
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ext4: avoid use-after-free in ext4_ext_show_leaf()
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid use-after-free in ext4_ext_show_leaf()
In ext4_find_extent(), path may be freed by error or be reallocated, so
using a previously saved *ppath may have been freed and thus may trigger
use-after-free, as follows:
ext4_split_extent
path = *ppath;
ext4_split_extent_at(ppath)
path = ext4_find_extent(ppath)
ext4_split_extent_at(ppath)
// ext4_find_extent fails to free path
// but zeroout succeeds
ext4_ext_show_leaf(inode, path)
eh = path[depth].p_hdr
// path use-after-free !!!
Similar to ext4_split_extent_at(), we use *ppath directly as an input to
ext4_ext_show_leaf(). Fix a spelling error by the way.
Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only
used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly.
This issue is triggered only when EXT_DEBUG is defined and therefore does
not affect functionality.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version < 5.10.227
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.168
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.113
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.55
Linux ≫ Linux Kernel Version >= 6.7 < 6.10.14
Linux ≫ Linux Kernel Version >= 6.11 < 6.11.3
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.167 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/2eba3b0cc5b8de624918d21f32b5b8db59a90b39
https://git.kernel.org/stable/c/34b2096380ba475771971a778a478661a791aa15
https://git.kernel.org/stable/c/4999fed877bb64e3e7f9ab9996de2ca983c41928
https://git.kernel.org/stable/c/4e2524ba2ca5f54bdbb9e5153bea00421ef653f5
https://git.kernel.org/stable/c/8b114f2cc7dd5d36729d040b68432fbd0f0a8868
https://git.kernel.org/stable/c/b0cb4561fc4284d04e69c8a66c8504928ab2484e
https://git.kernel.org/stable/c/d483c7cc1796bd6a80e7b3a8fd494996260f6b67
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
https://cert-portal.siemens.com/productcert/html/ssa-355557.html