CVE-2024-50043 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix possible badness in FREE_STATEID
When multiple FREE_STATEIDs are sent for the same delegation stateid, it can lead to a possible either use-after-free or counter refcount underflow errors.
In nfsd4_free_stateid() under the client lock we find a delegation stateid, however the code drops the lock before calling nfs4_put_stid(), that allows another FREE_STATE to find the stateid again. The first one will proceed to then free the stateid which leads to either use-after-free or decrementing already zeroed counter.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability CVE-2024-50043 represents a critical race condition in the Linux kernel's NFS server implementation that can lead to system instability and potential security exploits. This flaw exists within the nfsd4_free_stateid() function which handles the cleanup of delegation state identifiers in the Network File System version 4 implementation. The vulnerability arises from improper lock management during concurrent operations, creating a window where multiple threads can simultaneously process the same state identifier, leading to unpredictable system behavior.
The technical flaw manifests as a race condition between the client lock acquisition and release in the nfsd4_free_stateid() function. When the NFS server receives multiple FREE_STATEID requests for the same delegation state identifier, the code first locates the stateid while holding the client lock, but then releases the lock before calling nfs4_put_stid(). This temporal gap allows other threads to access and potentially process the same stateid concurrently. When the first thread continues execution and frees the stateid, it can result in either a use-after-free condition where memory is accessed after deallocation or a reference count underflow where the counter is decremented below zero, both of which can cause system crashes or memory corruption.
The operational impact of this vulnerability extends beyond simple system crashes, as it can be exploited to cause denial of service attacks against NFS servers or potentially enable privilege escalation in certain configurations. The race condition affects the core state management functionality of the NFS server, making it particularly dangerous in production environments where NFS services are heavily utilized. The vulnerability is especially concerning because it operates at the kernel level and can be triggered through normal NFS client operations, meaning that any NFS server processing multiple concurrent free requests for the same delegation stateid is potentially vulnerable.
Mitigation strategies for CVE-2024-50043 should focus on immediate patch deployment from kernel vendors, as the fix typically involves correcting the lock ordering to maintain the client lock throughout the entire stateid processing cycle. Organizations should also implement monitoring for unusual NFS server behavior or crash patterns that might indicate exploitation attempts. Network segmentation and access controls can help limit exposure by restricting which clients can send multiple concurrent FREE_STATEID requests. The vulnerability aligns with CWE-362, which describes race conditions, and could potentially map to ATT&CK techniques involving privilege escalation or denial of service through kernel exploitation. Regular kernel updates and security auditing of NFS configurations are essential to prevent exploitation of this and similar timing-based vulnerabilities in enterprise environments.