Linux Kernel up to 6.12.1 localio nfs3_read_done res.replen memory corruption

Summaryinfo

A vulnerability has been found in Linux Kernel up to 6.12.1 and classified as critical. Affected is the function nfs3_read_done of the component localio. Performing a manipulation of the argument res.replen results in memory corruption. This vulnerability is identified as CVE-2024-56740. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.12.1. It has been classified as critical. This affects the function nfs3_read_done of the component localio. The manipulation of the argument res.replen with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: nfs/localio: must clear res.replen in nfs_local_read_done Otherwise memory corruption can occur due to NFSv3 LOCALIO reads leaving garbage in res.replen: - nfs3_read_done() copies that into server->read_hdrsize; from there nfs3_proc_read_setup() copies it to args.replen in new requests. - nfs3_xdr_enc_read3args() passes that to rpc_prepare_reply_pages() which includes it in hdrsize for xdr_init_pages, so that rq_rcv_buf contains a ridiculous len. - This is copied to rq_private_buf and xs_read_stream_request() eventually passes the kvec to sock_recvmsg() which receives incoming data into entirely the wrong place. This is easily reproduced with NFSv3 LOCALIO that is servicing reads when it is made to pivot back to using normal RPC. This switch back to using normal NFSv3 with RPC can occur for a few reasons but this issue was exposed with a test that stops and then restarts the NFSv3 server while LOCALIO is performing heavy read IO.

The advisory is shared at git.kernel.org. This vulnerability is uniquely identified as CVE-2024-56740 since 12/29/2024. The exploitability is told to be easy. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/14/2026).

Upgrading to version 6.12.2 eliminates this vulnerability. Applying the patch de5dac261eeab99762bbdf7c20cee5d26ef4462e/650703bc4ed3edf841e851c99ab8e7ba9e5262a3 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2024-3762). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• RESF Rocky Linux
• Dell NetWorker
• Dell Avamar
• Red Hat OpenShift
• IBM QRadar SIEM
• Dell PowerProtect Data Domain
• Open Source Linux Kernel
• IBM DataPower Gateway
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.12.0
• 6.12.1

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion