CVE-2024-50286 in Linuxinfo

Summary

by MITRE • 11/19/2024

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create

There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2025

The vulnerability CVE-2024-50286 represents a critical use-after-free flaw in the Linux kernel's ksmbd implementation that affects the SMB2 session management functionality. This issue manifests within the ksmbd_smb2_session_create function where a race condition occurs between session creation and expiration processes. The vulnerability stems from insufficient synchronization mechanisms when manipulating the global session table, creating a scenario where memory allocated to session structures can be accessed after it has been freed, leading to potential system instability or arbitrary code execution. The ksmbd subsystem serves as a kernel module that provides SMB/CIFS file sharing capabilities on Linux systems, making this vulnerability particularly concerning for networked environments that rely on SMB services.

The technical root cause of this vulnerability lies in the absence of proper locking mechanisms when accessing the global sessions_table structure during concurrent session creation and expiration operations. When ksmbd_smb2_session_create and ksmbd_expire_session execute simultaneously, they can interfere with each other's operations on the shared session table without adequate protection. This race condition allows for a scenario where a session structure is freed from memory while another thread is still attempting to access it, resulting in a use-after-free condition. The vulnerability specifically affects the slab allocator memory management system within the Linux kernel, where objects are allocated from pre-allocated memory pools and can be accessed after deallocation if proper synchronization is not maintained. According to CWE classification, this represents a CWE-416: Use After Free vulnerability, which occurs when a program continues to use a pointer after the memory it points to has been freed.

The operational impact of CVE-2024-50286 extends beyond simple system instability, potentially enabling remote code execution in scenarios where attackers can trigger the race condition through carefully crafted SMB2 session requests. An attacker exploiting this vulnerability could cause the kernel to execute arbitrary code with elevated privileges, potentially leading to complete system compromise. The vulnerability affects systems running Linux kernels with ksmbd support enabled, particularly those serving SMB/CIFS shares to remote clients. Attackers may leverage this flaw by initiating multiple concurrent session creation and expiration requests to trigger the race condition, making it particularly dangerous in networked environments where SMB services are exposed. The vulnerability's impact aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1068 for exploit for privilege escalation, as successful exploitation could allow attackers to execute malicious code with kernel-level privileges.

Mitigation strategies for CVE-2024-50286 require immediate kernel updates from vendors that include the necessary locking mechanisms to prevent concurrent access to the session table. System administrators should prioritize patching affected systems and monitoring for exploitation attempts through network intrusion detection systems. The fix implemented in the patched kernel version introduces proper sessions_table_lock acquisition during session creation and deletion operations, ensuring that only one thread can access the session table at any given time. Additional defensive measures include restricting SMB service access to trusted networks, implementing proper network segmentation, and monitoring SMB traffic for unusual patterns that might indicate exploitation attempts. Organizations should also consider disabling SMB services if they are not required, as this reduces the attack surface and eliminates the risk associated with this specific vulnerability. The solution addresses the underlying synchronization issue by ensuring proper mutual exclusion when accessing shared kernel data structures, preventing the race condition that led to the use-after-free scenario.

Responsible

Linux

Reservation

10/21/2024

Disclosure

11/19/2024

Moderation

accepted

CPE

ready

EPSS

0.00267

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!