CVE-2024-40972
📋 TL;DR
A race condition vulnerability in the Linux kernel's ext4 filesystem where Extended Attribute (EA) inodes are created while holding a buffer lock. This improper locking can lead to deadlocks when filesystems are corrupted, potentially causing system instability. Affects Linux systems using ext4 filesystems with extended attributes enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
System deadlock leading to denial of service, requiring hard reboot and potential filesystem corruption or data loss.
Likely Case
System hangs or crashes when accessing corrupted filesystems with extended attributes, causing temporary denial of service.
If Mitigated
Minor performance impact during EA operations with no security consequences if filesystem is healthy.
🎯 Exploit Status
Exploitation requires ability to create or manipulate filesystem corruption and extended attributes. Primarily a reliability issue rather than security bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel commits referenced in CVE
Vendor Advisory: https://git.kernel.org/stable/c/0752e7fb549d90c33b4d4186f11cfd25a556d1dd
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable extended attributes on ext4
linuxMount ext4 filesystems with 'noattr' option to disable extended attributes
mount -o remount,noattr /mount/point
Add 'noattr' to /etc/fstab options for ext4 partitions
🧯 If You Can't Patch
- Monitor system logs for filesystem corruption warnings and deadlock indicators
- Implement strict access controls to prevent unauthorized users from manipulating extended attributes
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with distribution's patched versions. Vulnerable if using unpatched kernel with ext4 EA support.Check Version:
uname -rVerify Fix Applied:
Verify kernel version matches patched version from vendor advisory and test EA operations on ext4.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- Filesystem deadlock warnings in dmesg
- Processes stuck in 'D' state (uninterruptible sleep)
Network Indicators:
- None - local filesystem issue
SIEM Query:
source="kernel" AND ("deadlock" OR "ext4" OR "xattr" OR "EA inode")🔗 References
- https://git.kernel.org/stable/c/0752e7fb549d90c33b4d4186f11cfd25a556d1dd
- https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b
- https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752
- https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1
- https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b
- https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
