CVE-2024-47736
📋 TL;DR
A race condition vulnerability in the Linux kernel's EROFS filesystem driver can cause deadlocks when processing specially crafted filesystem images. This affects systems using EROFS for compressed read-only filesystems, potentially leading to denial of service. The vulnerability requires local access or ability to mount crafted images.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
System deadlock requiring hard reboot, causing extended downtime and potential data loss from unsaved work.
Likely Case
Local denial of service when mounting malicious EROFS images, potentially affecting system stability.
If Mitigated
Minimal impact with proper access controls preventing unauthorized users from mounting filesystems.
🎯 Exploit Status
Requires ability to mount crafted EROFS images. Found via fuzzing (syzbot).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel stable releases containing commits 1bf7e414cac3, 9cfa199bcbbb, 9e2f9d34dd12, or b9b30af0e86f
Vendor Advisory: https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable EROFS module
linuxPrevent loading of EROFS kernel module to eliminate attack surface
echo 'install erofs /bin/false' >> /etc/modprobe.d/disable-erofs.conf
rmmod erofs
Restrict filesystem mounting
linuxLimit which users can mount filesystems using sudoers or capabilities
# Edit /etc/sudoers to restrict mount commands
# Use setcap to limit mount capabilities
🧯 If You Can't Patch
- Restrict access to mount command and EROFS module loading to trusted users only
- Monitor for unusual filesystem mounting activity and EROFS usage patterns
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if EROFS is loaded: 'uname -r' and 'lsmod | grep erofs'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test with known safe EROFS images📡 Detection & Monitoring
Log Indicators:
- Kernel panic or hang messages
- EROFS mount failures or errors in dmesg
- Processes stuck in D state (uninterruptible sleep)
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("EROFS" OR "deadlock" OR "task hang")