Linux Kernel up to 6.6.27/6.8.6 qgroup generic/269 btrfs_subvolume_reserve_metadata memory leak
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.4 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel up to 6.6.27/6.8.6 and classified as problematic. This affects the function btrfs_subvolume_reserve_metadata of the file generic/269 of the component qgroup. Executing a manipulation can lead to memory leak.
The identification of this vulnerability is CVE-2024-35956. There is no exploit available.
It is suggested to upgrade the affected component.
Details
A vulnerability has been found in Linux Kernel up to 6.6.27/6.8.6 and classified as problematic. This vulnerability affects the function btrfs_subvolume_reserve_metadata of the file generic/269 of the component qgroup. The manipulation with an unknown input leads to a memory leak vulnerability. The CWE definition for the vulnerability is CWE-401. The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. As an impact it is known to affect availability. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. Ultimately, this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount for the leaked reservation. The fix is to ensure that every qgroup PREALLOC reservation observes the following properties: 1. any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation. 2. after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation. This patch enforces those properties on the three operations. Without it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 runs on my system. With this patch, it ran successfully 1000 times in a row.
The advisory is available at git.kernel.org. This vulnerability was named CVE-2024-35956 since 05/17/2024. Technical details are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 216985 (Debian dla-4076 : linux-config-6.1 - security update), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 6.6.28 or 6.8.7 eliminates this vulnerability. Applying the patch 14431815a4ae/6c95336f5d8e/74e97958121a is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (216985) and EUVD (EUVD-2024-35752). If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Vendor
Name
Version
- 6.6.0
- 6.6.1
- 6.6.2
- 6.6.3
- 6.6.4
- 6.6.5
- 6.6.6
- 6.6.7
- 6.6.8
- 6.6.9
- 6.6.10
- 6.6.11
- 6.6.12
- 6.6.13
- 6.6.14
- 6.6.15
- 6.6.16
- 6.6.17
- 6.6.18
- 6.6.19
- 6.6.20
- 6.6.21
- 6.6.22
- 6.6.23
- 6.6.24
- 6.6.25
- 6.6.26
- 6.6.27
- 6.8.0
- 6.8.1
- 6.8.2
- 6.8.3
- 6.8.4
- 6.8.5
- 6.8.6
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.5VulDB Meta Temp Score: 4.4
VulDB Base Score: 3.5
VulDB Temp Score: 3.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Memory leakCWE: CWE-401 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 216985
Nessus Name: Debian dla-4076 : linux-config-6.1 - security update
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 6.6.28/6.8.7
Patch: 14431815a4ae/6c95336f5d8e/74e97958121a
Timeline
05/17/2024 🔍05/20/2024 🔍
05/20/2024 🔍
05/24/2026 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2024-35956 (🔍)
GCVE (CVE): GCVE-0-2024-35956
GCVE (VulDB): GCVE-100-265234
EUVD: 🔍
Entry
Created: 05/20/2024 12:32Updated: 05/24/2026 11:57
Changes: 05/20/2024 12:32 (59), 12/14/2024 22:29 (2), 03/02/2025 07:57 (2), 09/23/2025 19:55 (11), 05/24/2026 11:57 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.