{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-49884","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.022Z","datePublished":"2024-10-21T18:01:21.517Z","dateUpdated":"2025-11-03T22:22:51.014Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:40:25.660Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-use-after-free in ext4_split_extent_at()\n\nWe hit the following use-after-free:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0\nRead of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40\nCPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n ext4_split_extent_at+0xba8/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nAllocated by task 40:\n __kmalloc_noprof+0x1ac/0x480\n ext4_find_extent+0xf3b/0x1e70\n ext4_ext_map_blocks+0x188/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nFreed by task 40:\n kfree+0xf1/0x2b0\n ext4_find_extent+0xa71/0x1e70\n ext4_ext_insert_extent+0xa22/0x3260\n ext4_split_extent_at+0x3ef/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\next4_split_extent_at\n  path = *ppath\n  ext4_ext_insert_extent(ppath)\n    ext4_ext_create_new_leaf(ppath)\n      ext4_find_extent(orig_path)\n        path = *orig_path\n        read_extent_tree_block\n          // return -ENOMEM or -EIO\n        ext4_free_ext_path(path)\n          kfree(path)\n        *orig_path = NULL\n  a. If err is -ENOMEM:\n  ext4_ext_dirty(path + path->p_depth)\n  // path use-after-free !!!\n  b. If err is -EIO and we have EXT_DEBUG defined:\n  ext4_ext_show_leaf(path)\n    eh = path[depth].p_hdr\n    // path also use-after-free !!!\n\nSo when trying to zeroout or fix the extent length, call ext4_find_extent()\nto update the path.\n\nIn addition we use *ppath directly as an ext4_ext_show_leaf() input to\navoid possible use-after-free when EXT_DEBUG is defined, and to avoid\nunnecessary path updates."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/extents.c"],"versions":[{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"393a46f60ea4f249dc9d496d4eb2d542f5e11ade","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"448100a29395b0c8b4c42967155849fe0fbe808f","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"e52f933598b781d291b9297e39c463536da0e185","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"cafcc1bd62934547c76abf46c6d0d54f135006fe","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"a5401d4c3e2a3d25643c567d26e6de327774a2c9","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"8fe117790b37c84c651e2bad9efc0e7fda73c0e3","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"5d949ea75bb529ea6342e83465938a3b0ac51238","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"915ac3630488af0ca194dc63b86d99802b4f6e18","status":"affected","versionType":"git"},{"version":"dfe5080939ea4686b3414b5d970a9b26733c57a4","lessThan":"c26ab35702f8cd0cdc78f96aa5856bfb77be798f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/extents.c"],"versions":[{"version":"3.18","status":"affected"},{"version":"0","lessThan":"3.18","status":"unaffected","versionType":"semver"},{"version":"4.19.323","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.290","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.227","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.168","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.113","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.55","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.10.14","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11.3","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"4.19.323"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"5.4.290"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"5.10.227"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"5.15.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.1.113"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.6.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.10.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.11.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade"},{"url":"https://git.kernel.org/stable/c/448100a29395b0c8b4c42967155849fe0fbe808f"},{"url":"https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185"},{"url":"https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe"},{"url":"https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9"},{"url":"https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3"},{"url":"https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238"},{"url":"https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18"},{"url":"https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f"}],"title":"ext4: fix slab-use-after-free in ext4_split_extent_at()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-49884","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:45:15.776351Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:48:50.117Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:22:51.014Z"}}]}}