ext4: fix timer use-after-free on failed mount
Summary
| CVE | CVE-2024-49960 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-10-21 18:15:17 UTC |
| Updated | 2026-06-15 18:23:18 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called. Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-416
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 5e4f5138bd8522ebe231a137682d3857209a2c07 7aac0c17a8cdf4a3236991c1e60435c6a984076c git | Not specified |
| CNA | Linux | Linux | affected 618f003199c6188e01472b03cdbba227f1dc5f24 22e9b83f0f33bc5a7a3181769d1dccbf021f5b04 git | Not specified |
| CNA | Linux | Linux | affected 618f003199c6188e01472b03cdbba227f1dc5f24 cf3196e5e2f36cd80dab91ffae402e13935724bc git | Not specified |
| CNA | Linux | Linux | affected 618f003199c6188e01472b03cdbba227f1dc5f24 9203817ba46ebba7c865c8de2aba399537b6e891 git | Not specified |
| CNA | Linux | Linux | affected 618f003199c6188e01472b03cdbba227f1dc5f24 fa78fb51d396f4f2f80f8e96a3b1516f394258be git | Not specified |
| CNA | Linux | Linux | affected 618f003199c6188e01472b03cdbba227f1dc5f24 b85569585d0154d4db1e4f9e3e6a4731d407feb0 git | Not specified |
| CNA | Linux | Linux | affected 618f003199c6188e01472b03cdbba227f1dc5f24 0ce160c5bdb67081a62293028dc85758a8efb22a git | Not specified |
| CNA | Linux | Linux | affected cecfdb9cf9a700d1037066173abac0617f6788df git | Not specified |
| CNA | Linux | Linux | affected eb7b40d9d3785f7a131fb0b1f89bb6efa46c1833 git | Not specified |
| CNA | Linux | Linux | affected 5.10.51 5.10.237 semver | Not specified |
| CNA | Linux | Linux | affected 5.12.18 5.13 semver | Not specified |
| CNA | Linux | Linux | affected 5.13.3 5.14 semver | Not specified |
| CNA | Linux | Linux | affected 5.14 | Not specified |
| CNA | Linux | Linux | unaffected 5.14 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.237 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.181 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.118 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.55 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.10.14 6.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.11.3 6.11.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.debian.org/debian-lts-announce/2025/05/msg00030.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| git.kernel.org/stable/c/cf3196e5e2f36cd80dab91ffae402e13935724bc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/7aac0c17a8cdf4a3236991c1e60435c6a984076c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/0ce160c5bdb67081a62293028dc85758a8efb22a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/9203817ba46ebba7c865c8de2aba399537b6e891 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/22e9b83f0f33bc5a7a3181769d1dccbf021f5b04 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/fa78fb51d396f4f2f80f8e96a3b1516f394258be | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/b85569585d0154d4db1e4f9e3e6a4731d407feb0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2025/01/msg00001.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.