CVE-2024-49994
📋 TL;DR
This CVE describes an integer overflow vulnerability in the Linux kernel's BLKSECDISCARD ioctl command. An attacker with local access can trigger a near-infinite loop in the kernel's block device secure erase functionality, causing denial of service. This affects all Linux systems where an attacker has local access to block devices.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system hang requiring physical reboot, potentially causing data loss or extended downtime.
Likely Case
Local denial of service through kernel resource exhaustion, making affected block devices unusable until system restart.
If Mitigated
Minimal impact if proper access controls prevent unauthorized users from accessing block device ioctls.
🎯 Exploit Status
Exploitation requires local access and appropriate permissions to access block devices. The vulnerability was independently rediscovered from a similar issue in BLKDISCARD.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 0842ddd83939eb4db940b9af7d39e79722bc41aa, 697ba0b6ec4ae04afb67d3911799b5e2043b4455, 6c9915fa9410cbb9bd75ee283c03120046c56d3d, 8476f8428e8b48fd7a0e4258fa2a96a8f4468239, a99bacb35c1416355eef957560e8fcac3a665549
Vendor Advisory: https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Restrict block device access
linuxLimit access to block device files to prevent unauthorized users from issuing ioctl commands
chmod 600 /dev/sd*
chmod 600 /dev/loop*
setfacl -m u:root:rw- /dev/sd*
Disable secure erase capability
linuxRemove secure erase capability from block devices if not required
hdparm --security-disable /dev/sdX
🧯 If You Can't Patch
- Implement strict access controls on /dev block device files to prevent unauthorized users from accessing them
- Monitor system logs for repeated 'attempt to access beyond end of device' messages which may indicate exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check kernel version against distribution security advisories. Vulnerable if using kernel before fix commits.Check Version:
uname -rVerify Fix Applied:
Verify kernel version after update matches patched version from distribution security advisory.📡 Detection & Monitoring
Log Indicators:
- kernel logs showing 'attempt to access beyond end of device'
- repeated 'bio_check_eod: X callbacks suppressed' messages
- system logs indicating high CPU usage from kernel processes
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("attempt to access beyond end of device" OR "bio_check_eod" AND "callbacks suppressed")🔗 References
- https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa
- https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455
- https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d
- https://git.kernel.org/stable/c/8476f8428e8b48fd7a0e4258fa2a96a8f4468239
- https://git.kernel.org/stable/c/a99bacb35c1416355eef957560e8fcac3a665549
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
