PT-2024-5427 · Linux+7 · Linux Kernel+7

David Sterba

+3

·

Published

2024-05-15

·

Updated

2026-01-12

·

CVE-2024-39496

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The issue is related to a use-after-free vulnerability in the btrfs load zone info() function, which can be triggered by a race condition with a device replace operation. This happens because the function extracts a device from the chunk map into a local variable and then uses the device while not under the protection of the device replace rwsem. If a device replace operation occurs while the device is being extracted and the device is the source of the replace operation, a use-after-free can be triggered if the replace operation finishes and frees the device before the function finishes using it. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use After Free

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416CWE-362

Related Identifiers

ALSA-2025_16880
ALT-PU-2024-10855
ALT-PU-2024-11524
ALT-PU-2024-13979
ALT-PU-2024-14046
BDU:2024-06071
CVE-2024-39496
DLA-4008-1
DSA-5731-1
OESA-2024-1960
SUSE-SU-2024:2802-1
SUSE-SU-2024:2896-1
SUSE-SU-2024:2973-1
SUSE-SU-2025:20008-1
SUSE-SU-2025:20028-1
USN-6999-1
USN-6999-2
USN-7004-1
USN-7005-1
USN-7005-2
USN-7008-1
USN-7021-1
USN-7021-2
USN-7021-3
USN-7021-4
USN-7021-5
USN-7029-1

Affected Products

Alt Linux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu