CVE-2024-53235
📋 TL;DR
A null pointer dereference vulnerability in the Linux kernel's EROFS filesystem driver when mounted over FUSE can cause kernel crashes. This affects systems using EROFS file-backed mounts over FUSE filesystems. The vulnerability allows denial of service through kernel panics.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data corruption or loss if the system is performing critical operations.
Likely Case
System crash or kernel panic when accessing EROFS mounts over FUSE, resulting in temporary denial of service until system reboot.
If Mitigated
No impact if EROFS is not mounted over FUSE or if the system is patched.
🎯 Exploit Status
Requires ability to mount EROFS over FUSE and trigger specific read operations. Discovered through syzbot fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 3a23787ca8756920d65fda39f41353a4be1d1642 and 5036f2f024cac40a02ea6ea70de2c3a4407d16bc
Vendor Advisory: https://git.kernel.org/stable/c/3a23787ca8756920d65fda39f41353a4be1d1642
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fixes. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable EROFS mounts over FUSE
linuxPrevent mounting EROFS filesystems over FUSE to avoid triggering the vulnerability
# Avoid using: mount -t erofs -o loopback /path/to/image /mnt/erofs over FUSE mounts
Disable EROFS kernel module
linuxRemove or blacklist EROFS kernel module if not needed
echo 'blacklist erofs' >> /etc/modprobe.d/blacklist.conf
rmmod erofs
🧯 If You Can't Patch
- Avoid mounting EROFS filesystems over FUSE filesystems
- Monitor systems for kernel panic logs and investigate any EROFS+FUSE usage
🔍 How to Verify
Check if Vulnerable:
Check if system uses EROFS mounted over FUSE and has unpatched kernel. Run: mount | grep erofs and check if mounted on FUSE filesystem.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits: grep -q '3a23787ca8756920d65fda39f41353a4be1d1642\|5036f2f024cac40a02ea6ea70de2c3a4407d16bc' /proc/version📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- Null pointer dereference errors mentioning fuse_read_args_fill or erofs_bread
- System crash/reboot events
Network Indicators:
- None - local filesystem vulnerability
SIEM Query:
source="kern.log" AND ("kernel panic" OR "null-ptr-deref" OR "fuse_read_args_fill" OR "erofs_bread")