CVE-2024-49960 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix timer use-after-free on failed mount
Syzbot has found an ODEBUG bug in ext4_fill_super
The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi).
When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called.
Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability CVE-2024-49960 represents a critical use-after-free condition in the Linux kernel's ext4 filesystem implementation that arises during failed mount operations. This issue stems from improper timer management within the ext4 filesystem driver, specifically concerning the s_err_report timer that is responsible for periodically reporting filesystem errors to system administrators. The vulnerability manifests when the kernel attempts to free memory associated with the superblock information structure (sbi) while the error reporting timer may still be active, creating a scenario where freed memory could be accessed after deallocation.
The technical flaw occurs in the ext4 filesystem mounting code path where the del_timer_sync function is called to cancel the s_err_report timer, but this cancellation happens at an inappropriate time in the execution flow. When filesystem mounting fails, the code path leads to failed_mount3 function where ext4_stop_mmpd is invoked, which triggers a read I/O failure that ultimately calls ext4_handle_error. This error handling function re-arms the timer, leaving it active even after the memory associated with the superblock information structure has been scheduled for deallocation through kfree(sbi). The timing issue creates a race condition where the timer callback could execute against freed memory, resulting in undefined behavior and potential system instability.
The operational impact of this vulnerability extends beyond simple system crashes, as it could potentially enable privilege escalation or denial of service attacks in environments where filesystem mounting operations are frequent or automated. The vulnerability is particularly concerning in containerized environments or systems where ext4 filesystems are mounted programmatically, as the use-after-free condition could be exploited to execute arbitrary code with kernel privileges. The issue affects systems running Linux kernel versions where the ext4 filesystem driver is active and where mounting operations may fail due to various I/O or configuration issues.
The fix for CVE-2024-49960 implements a straightforward but critical change to the error handling flow by ensuring the s_err_report timer is properly canceled immediately after calling ext4_stop_mmpd, rather than relying on the timing of when del_timer_sync is invoked. This change aligns with the principle of defensive programming and proper resource management, ensuring that all kernel resources are properly cleaned up before memory deallocation occurs. The solution addresses the core issue identified by Syzbot's ODEBUG bug detection, which specifically targeted the improper timer lifecycle management in the ext4_fill_super function. This vulnerability demonstrates the importance of careful timer management in kernel code and follows established security practices for preventing use-after-free conditions that are categorized under CWE-416 as use of freed memory. The fix also aligns with ATT&CK technique T1068 which involves exploiting local privilege escalation opportunities through kernel vulnerabilities, making it a critical patch for system administrators to apply promptly.