CVE-2024-49867
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's Btrfs filesystem during unmount can cause kernel crashes or potential privilege escalation. This affects Linux systems using Btrfs filesystems when unmount operations occur while fixup workers are still running. The vulnerability allows a local attacker to trigger a kernel panic or potentially execute arbitrary code.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation to kernel mode allowing full system compromise.
Likely Case
System crash or kernel panic during unmount operations, leading to denial of service.
If Mitigated
No impact if patched or if Btrfs is not used.
🎯 Exploit Status
Requires local access and ability to trigger unmount operations. Race condition makes exploitation timing-dependent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 41fd1e94066a815a7ab0a7025359e9b40e4b3576, 4c98fe0dfa2ae83c4631699695506d8941db4bfe, 65d11eb276836d49003a8060cf31fa2284ad1047, 70b60c8d9b42763d6629e44f448aa5d8ae477d61, 9da40aea63f8769f28afb91aea0fac4cf6fbbb65
Vendor Advisory: https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Avoid Btrfs unmount operations
linuxPrevent unmount of Btrfs filesystems while system is in use
# Monitor for unmount attempts
# Use mount options to prevent unmount
Use alternative filesystem
linuxMigrate from Btrfs to ext4 or other filesystems
# Backup data
# Convert filesystem or reformat
🧯 If You Can't Patch
- Restrict local user access to prevent unmount operations
- Monitor for Btrfs unmount events and investigate suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if Btrfs is in use: uname -r and cat /proc/filesystems | grep btrfsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test unmount operations on Btrfs filesystems📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- Btrfs unmount errors
- KASAN reports of use-after-free
Network Indicators:
- None - local vulnerability
SIEM Query:
Search for: 'KASAN: slab-use-after-free' OR 'btrfs' AND 'panic' OR 'crash' in kernel logs🔗 References
- https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576
- https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe
- https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047
- https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61
- https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65
- https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9
- https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4
- https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
