CVE-2024-40913 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: defer exposing anon_fd until after copy_to_user() succeeds
After installing the anonymous fd, we can now see it in userland and close it. However, at this point we may not have gotten the reference count of the cache, but we will put it during colse fd, so this may cause a cache UAF.
So grab the cache reference count before fd_install(). In addition, by kernel convention, fd is taken over by the user land after fd_install(), and the kernel should not call close_fd() after that, i.e., it should call fd_install() after everything is ready, thus fd_install() is called after copy_to_user() succeeds.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/17/2025
The vulnerability described in CVE-2024-40913 resides within the Linux kernel's cachefiles subsystem, specifically addressing a race condition and use-after-free scenario that could potentially lead to privilege escalation or system instability. This issue affects the handling of anonymous file descriptors within the kernel's caching mechanism, where improper ordering of operations creates a window for memory safety violations. The vulnerability manifests when the kernel attempts to expose an anonymous file descriptor to user space while simultaneously managing reference counts for cache objects, creating a scenario where the file descriptor becomes accessible before all necessary validation has completed.
The technical flaw stems from the improper sequence of operations during file descriptor installation within the kernel's cachefiles module. When the kernel installs an anonymous file descriptor using fd_install(), it should ensure that all prerequisite operations complete successfully before making the file descriptor available to user space. In this case, the copy_to_user() operation which transfers data to user space must succeed before the file descriptor is exposed, as the anonymous file descriptor maintains a reference to a cache object that requires proper management. The vulnerability occurs because the cache reference count is not acquired before fd_install() is called, creating a window where user space can access the file descriptor and potentially close it while the cache object reference count has not yet been properly incremented.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a classic use-after-free condition that could be exploited to gain unauthorized access to kernel memory or cause system crashes. When user space closes the anonymous file descriptor before the kernel has properly established the cache reference count, the cache object may be freed prematurely, leading to a situation where subsequent operations on that freed memory could result in privilege escalation or denial of service conditions. This type of vulnerability aligns with CWE-416, which specifically addresses use-after-free errors in software systems. The improper reference counting mechanism creates a race condition where the kernel's internal state becomes inconsistent with the user space view of the file descriptor, potentially allowing malicious actors to manipulate the kernel's memory management.
The fix implemented addresses this vulnerability by ensuring proper ordering of operations within the kernel's cachefiles subsystem. The solution requires acquiring the cache reference count before calling fd_install(), thereby guaranteeing that the cache object remains valid for the entire duration of the file descriptor's lifecycle. This approach follows kernel development conventions where fd_install() is expected to be called only after all necessary setup has completed, ensuring that the kernel does not attempt to close the file descriptor after it has been handed over to user space. This remediation technique directly aligns with ATT&CK framework's T1068, which covers local privilege escalation through kernel vulnerabilities, by preventing the conditions that would allow an attacker to manipulate kernel memory through improper file descriptor management. The fix ensures that the kernel maintains proper control over cache objects and prevents the scenario where closing an anonymous file descriptor could result in premature cache object deallocation, thereby maintaining system stability and preventing potential exploitation.
This vulnerability demonstrates the critical importance of proper synchronization and reference counting in kernel space operations, particularly within subsystems that manage caching mechanisms and file descriptor lifecycles. The fix represents a defensive programming approach that ensures resource management consistency and prevents the conditions that could lead to privilege escalation or system instability. The resolution emphasizes the kernel's need to maintain strict control over object lifecycles and ensures that all necessary validations occur before exposing resources to user space, thereby protecting against scenarios where improper ordering of operations could lead to memory safety violations.