{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26958", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.200Z", "datePublished": "2024-05-01T05:19:04.069Z", "dateUpdated": "2025-08-28T14:42:40.717Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-28T14:42:40.717Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfs/direct.c", "fs/nfs/write.c", "include/linux/nfs_fs.h"], "versions": [{"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "6cd3f13aaa62970b5169d990e936b2e96943bc6a", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "80d24b308b7ee7037fc90d8ac99f6f78df0a256f", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "3abc2d160ed8213948b147295d77d44a22c88fa3", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "e25447c35f8745337ea8bc0c9697fcac14df8605", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "1daf52b5ffb24870fbeda20b4967526d8f9e12ab", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "cf54f66e1dd78990ec6b32177bca7e6ea2144a95", "status": "affected", "versionType": "git"}, {"version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "17f46b803d4f23c66cacce81db35fef3adb8f2af", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfs/direct.c", "fs/nfs/write.c", "include/linux/nfs_fs.h"], "versions": [{"version": "4.5", "status": "affected"}, {"version": "0", "lessThan": "4.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.297", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.84", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.24", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.12", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.3", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "5.4.297"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "5.10.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "5.15.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.1.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.6.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.7.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.8.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6cd3f13aaa62970b5169d990e936b2e96943bc6a"}, {"url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5"}, {"url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f"}, {"url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3"}, {"url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605"}, {"url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab"}, {"url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95"}, {"url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af"}], "title": "nfs: fix UAF in direct writes", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T13:37:27.589314Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:10.748Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.688Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.688Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T13:37:27.589314Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:38.103Z"}}], "cna": {"title": "nfs: fix UAF in direct writes", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "6cd3f13aaa62970b5169d990e936b2e96943bc6a", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "80d24b308b7ee7037fc90d8ac99f6f78df0a256f", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "3abc2d160ed8213948b147295d77d44a22c88fa3", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "e25447c35f8745337ea8bc0c9697fcac14df8605", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "1daf52b5ffb24870fbeda20b4967526d8f9e12ab", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "cf54f66e1dd78990ec6b32177bca7e6ea2144a95", "versionType": "git"}, {"status": "affected", "version": "af7cf057933f01dc7f33ddfb5e436ad598ed17ad", "lessThan": "17f46b803d4f23c66cacce81db35fef3adb8f2af", "versionType": "git"}], "programFiles": ["fs/nfs/direct.c", "fs/nfs/write.c", "include/linux/nfs_fs.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.5"}, {"status": "unaffected", "version": "0", "lessThan": "4.5", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.297", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.215", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.154", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.84", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.24", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.12", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8.3", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/nfs/direct.c", "fs/nfs/write.c", "include/linux/nfs_fs.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6cd3f13aaa62970b5169d990e936b2e96943bc6a"}, {"url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5"}, {"url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f"}, {"url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3"}, {"url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605"}, {"url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab"}, {"url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95"}, {"url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.297", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.215", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.154", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.84", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.24", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.12", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.3", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "4.5"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-28T14:42:40.717Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26958", "state": "PUBLISHED", "dateUpdated": "2025-08-28T14:42:40.717Z", "dateReserved": "2024-02-19T14:20:24.200Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-01T05:19:04.069Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "882BE7BA-C4A6-4167-8FA9-CBEDFBE98A67", "versionEndExcluding": "5.10.215", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "834D9BD5-42A6-4D74-979E-4D6D93F630FD", "versionEndExcluding": "6.1.84", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8018C1D0-0A5F-48D0-BC72-A2B33FDDA693", "versionEndExcluding": "6.6.24", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53", "versionEndExcluding": "6.7.12", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C59BBC3-6495-4A77-9C82-55EC7CDF5E02", "versionEndExcluding": "6.8.3", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfs: corrige UAF en escrituras directas En producci\u00f3n hemos estado recibiendo la siguiente advertencia constantemente ------------[ cortar aqu\u00ed ]----- ------- refcount_t: desbordamiento insuficiente; use-after-free. ADVERTENCIA: CPU: 17 PID: 1800359 en lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Cola de trabajo: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Llamada Seguimiento: ? __advertir+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0? report_bug+0xcc/0x150? handle_bug+0x3d/0x70? exc_invalid_op+0x16/0x40? asm_exc_invalid_op+0x16/0x20? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] Process_one_work+0x12f/0x4a0 trabajador_thread+0x14e/0x3b0? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 Esto se debe a que estamos completando nfs_direct_request dos veces seguidas. La fuente de esto es cuando tenemos que enviar nuestras solicitudes de confirmaci\u00f3n, las procesamos y las enviamos, y luego en la ruta de finalizaci\u00f3n para las solicitudes de confirmaci\u00f3n tenemos if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); Sin embargo, dado que enviamos solicitudes asincr\u00f3nicas, a veces tenemos una que se completa antes de enviar la siguiente, por lo que terminamos llamando a complete en nfs_direct_request dos veces. El \u00fanico otro lugar donde usamos nfs_generic_commit_list() es en __nfs_commit_inode, que envuelve esta llamada en nfs_commit_begin(); nfs_commit_end(); Este es un patr\u00f3n com\u00fan para este estilo de manejo de finalizaci\u00f3n, uno que tambi\u00e9n se repite en el c\u00f3digo directo con llamadas get_dreq()/put_dreq() en el lugar donde procesamos eventos, as\u00ed como en las rutas de finalizaci\u00f3n. Solucione este problema utilizando el mismo patr\u00f3n para las solicitudes de confirmaci\u00f3n. Antes, con mi estr\u00e9s de rocksdb de 200 nodos ejecut\u00e1ndose, esta advertencia aparec\u00eda cada 10 minutos. Con mi parche, la prueba de esfuerzo ha estado funcionando durante varias horas sin aparecer."}], "id": "CVE-2024-26958", "lastModified": "2025-08-28T15:15:41.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-01T06:15:12.090", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6cd3f13aaa62970b5169d990e936b2e96943bc6a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:5102", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5101", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.16.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: nfs: fix UAF in direct writes", "id": "2278182", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278182"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnfs: fix UAF in direct writes\nIn production we have been hitting the following warning consistently\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? __warn+0x9f/0x130\n? refcount_warn_saturate+0x9c/0xe0\n? report_bug+0xcc/0x150\n? handle_bug+0x3d/0x70\n? exc_invalid_op+0x16/0x40\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0x9c/0xe0\nnfs_direct_write_schedule_work+0x237/0x250 [nfs]\nprocess_one_work+0x12f/0x4a0\nworker_thread+0x14e/0x3b0\n? ZSTD_getCParams_internal+0x220/0x220\nkthread+0xdc/0x120\n? __btf_name_valid+0xa0/0xa0\nret_from_fork+0x1f/0x30\nThis is because we're completing the nfs_direct_request twice in a row.\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\nif (nfs_commit_end(cinfo.mds))\nnfs_direct_write_complete(dreq);\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\nnfs_commit_begin();\nnfs_commit_end();\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\nFix this by using the same pattern for the commit requests.\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", "A use-after-free flaw was found in fs/nfs/direct.c in the Linux kernel. This may lead to a crash."], "name": "CVE-2024-26958", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26958\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26958\nhttps://lore.kernel.org/linux-cve-announce/2024050129-CVE-2024-26958-6c15@gregkh/T"], "threat_severity": "Moderate"}

{}