CVE-2024-56672
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's block cgroup subsystem that allows an attacker to potentially crash the system or execute arbitrary code with kernel privileges. It affects Linux systems using cgroup v2 with block I/O controller enabled. The vulnerability occurs during cleanup of block cgroup structures.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation to kernel mode allowing complete system compromise.
Likely Case
System instability or kernel panic causing denial of service.
If Mitigated
Minimal impact if cgroup v2 block I/O controller is disabled or systems are not under heavy cgroup operations.
🎯 Exploit Status
The CVE description mentions the UAF is not easy to trigger and required artificial delays (msleep) to reproduce. Exploitation would require local access and specific cgroup operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches (commits: 29d1e06560f0f6179062ac638b4064deb637d1ad, 5baa28569c924d9a90d036c2aaab79f791fedaf8, 64afc6fe24c9896c0153e5a199bcea241ecb0d5c, 83f5a87ee8caa76a917f59912a74d6811f773c67, 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af)
Vendor Advisory: https://git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4064deb637d1ad
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution's repositories. 2. Reboot the system to load the new kernel. 3. Verify the kernel version after reboot.
🔧 Temporary Workarounds
Disable cgroup v2 block I/O controller
linuxDisable the block I/O controller in cgroup v2 to prevent triggering the vulnerable code path
echo '+io' > /sys/fs/cgroup/cgroup.subtree_control
mount -t cgroup2 none /sys/fs/cgroup
echo 'io' > /sys/fs/cgroup/cgroup.subtree_control
🧯 If You Can't Patch
- Restrict local user access to systems where cgroup operations are performed
- Monitor system logs for kernel panics or cgroup-related errors
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if it contains the vulnerable code. The vulnerability exists in kernels with the specific blkcg_unpin_online() function before the fix.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to a version containing one of the fix commits. Check dmesg for absence of KASAN reports related to blkcg_unpin_online.📡 Detection & Monitoring
Log Indicators:
- KASAN: slab-use-after-free in blkcg_unpin_online
- kernel panic messages
- cgroup-related error messages in dmesg
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Search for 'blkcg_unpin_online' or 'KASAN: slab-use-after-free' in kernel logs🔗 References
- https://git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4064deb637d1ad
- https://git.kernel.org/stable/c/5baa28569c924d9a90d036c2aaab79f791fedaf8
- https://git.kernel.org/stable/c/64afc6fe24c9896c0153e5a199bcea241ecb0d5c
- https://git.kernel.org/stable/c/83f5a87ee8caa76a917f59912a74d6811f773c67
- https://git.kernel.org/stable/c/86e6ca55b83c575ab0f2e105cf08f98e58d3d7af
- https://git.kernel.org/stable/c/8a07350fe070017a887433f4d6909433955be5f1
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
