CVE-2024-49983 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free
When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process:
ext4_ext_replay_update_ex ppath = path ext4_force_split_extent_at(&ppath) ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth ext4_find_extent if (depth > path[0].p_maxdepth)
kfree(path) ---> path First freed *orig_path = path = NULL ---> null ppath kfree(path) ---> path double-free !!!
So drop the unnecessary ppath and use path directly to avoid this problem. And use ext4_find_extent() directly to update path, avoiding unnecessary memory allocation and freeing. Also, propagate the error returned by ext4_find_extent() instead of using strange error codes.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
This vulnerability exists in the linux kernel's ext4 filesystem implementation and represents a critical double-free error that could lead to system instability or potential privilege escalation. The issue manifests within the ext4_ext_replay_update_ex() function where improper memory management creates a scenario that allows for the same memory block to be freed twice. The vulnerability stems from a fundamental flaw in how path structures are handled during extent splitting operations, creating a race condition that can be exploited to corrupt kernel memory.
The technical flaw occurs when ext4_force_split_extent_at() is called within ext4_ext_replay_update_ex(), specifically in the sequence where ppath is assigned to path but then the actual freeing operation targets the path variable instead of ppath. This creates a situation where the memory allocated for the path structure gets freed twice during the execution flow. The problem is exacerbated by the fact that ext4_find_extent() function, which is called during the splitting process, can reallocate the path structure and set it to NULL, but the subsequent kfree(path) call attempts to free the already freed memory block. This double-free scenario is particularly dangerous because it can lead to memory corruption that may be exploited to gain kernel-level privileges or cause system crashes.
The operational impact of this vulnerability extends beyond simple system instability as it represents a memory safety issue that could be leveraged by malicious actors. The vulnerability affects the ext4 filesystem's ability to properly manage extent structures during file operations, potentially allowing for arbitrary code execution in kernel space. Attackers could exploit this by crafting specific file operations that trigger the problematic code path, leading to system compromise. The issue is particularly concerning because it operates at the kernel level where privilege escalation is possible, and the double-free condition could be used to corrupt kernel data structures or execute malicious code with root privileges.
The fix implemented addresses the core memory management issue by eliminating the unnecessary ppath variable and directly using the path structure throughout the function. This approach prevents the double-free condition by ensuring that each memory allocation has exactly one corresponding deallocation. Additionally, the solution improves error handling by properly propagating errors from ext4_find_extent() instead of using arbitrary error codes, which enhances the overall reliability of the filesystem implementation. The mitigation strategy also reduces unnecessary memory allocation and deallocation cycles, improving performance while eliminating the security vulnerability. This fix aligns with common security practices for preventing memory corruption vulnerabilities and follows established patterns for kernel memory management. The solution directly addresses the underlying CWE-415: Double Free vulnerability category and mitigates potential ATT&CK techniques related to privilege escalation through kernel exploitation.