PT-2024-28108 · Linux+7 · Linux Kernel+7

Ming Lei

·

Published

2024-06-12

·

Updated

2025-09-29

·

CVE-2024-38663

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37
Description The issue is related to the blk-cgroup component in the Linux kernel, where list corruption can occur when resetting io stat. This happens because each iostat instance is added to the blkcg percpu list, and the blkcg reset stats() function cannot reset the stat instance using memset(), which may cause the llist to be corrupted. The problem is fixed by only resetting the counter part.
Recommendations To resolve the issue, update the Linux kernel to version 6.6.37 or later. As a temporary workaround, consider restricting access to the vulnerable blkcg reset stats() function until a patch is available.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALSA-2024:4583
ALSA-2025_16880
BDU:2025-03408
CVE-2024-38663
INFSA-2024_4583
MGASA-2024-0263
MGASA-2024-0266
RHSA-2024:4583
RHSA-2024:5066
RHSA-2024:5067
RHSA-2024_4583
RLSA-2024:4583
SUSE-SU-2024:2571-1
SUSE-SU-2024:2896-1
SUSE-SU-2024:2973-1
SUSE-SU-2025:20008-1
SUSE-SU-2025:20028-1
USN-6999-1
USN-6999-2
USN-7004-1
USN-7005-1
USN-7005-2
USN-7008-1
USN-7029-1

Affected Products

Almalinux
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu