CVE-2024-49882

HIGH LAB

Linux Kernel 3.7-6.11.2 - Use-After-Free in ext4_ext_try_to_merge_up

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-49882. PoCs published by SpiralBL0CK.

AI-analyzed exploit summary This repository demonstrates a covert communication channel exploiting CVE-2023-1206 (IPv6 hash collision timing) and CVE-2024-49882 (cross-container data transfer via hugepage leaks). It includes tools for synchronization, data exfiltration, and analysis.

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: fix double brelse() the buffer of the extents path In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been released, otherwise it may be released twice. An example of what triggers this is as follows: split2 map split1 |--------|-------|--------| ext4_ext_map_blocks ext4_ext_handle_unwritten_extents ext4_split_convert_extents // path->p_depth == 0 ext4_split_extent // 1. do split1 ext4_split_extent_at |ext4_ext_insert_extent | ext4_ext_create_new_leaf | ext4_ext_grow_indepth | le16_add_cpu(&neh->eh_depth, 1) | ext4_find_extent | // return -ENOMEM |// get error and try zeroout |path = ext4_find_extent | path->p_depth = 1 |ext4_ext_try_to_merge | ext4_ext_try_to_merge_up | path->p_depth = 0 | brelse(path[1].p_bh) ---> not set to NULL here |// zeroout success // 2. update path ext4_find_extent // 3. do split2 ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth le16_add_cpu(&neh->eh_depth, 1) ext4_find_extent path[0].p_bh = NULL; path->p_depth = 1 read_extent_tree_block ---> return err // path[1].p_bh is still the old value ext4_free_ext_path ext4_ext_drop_refs // path->p_depth == 1 brelse(path[1].p_bh) ---> brelse a buffer twice Finally got the following WARRNING when removing the buffer from lru: ============================================ VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90 CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716 RIP: 0010:__brelse+0x58/0x90 Call Trace: <TASK> __find_get_block+0x6e7/0x810 bdev_getblk+0x2b/0x480 __ext4_get_inode_loc+0x48a/0x1240 ext4_get_inode_loc+0xb2/0x150 ext4_reserve_inode_write+0xb7/0x230 __ext4_mark_inode_dirty+0x144/0x6a0 ext4_ext_insert_extent+0x9c8/0x3230 ext4_ext_map_blocks+0xf45/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ============================================

Exploits (1)

nomisec WORKING POC 13 stars
by SpiralBL0CK · poc
https://github.com/SpiralBL0CK/CVE-2023-1206-CVE-2025-40040-CVE-2024-49882

This repository demonstrates a covert communication channel exploiting CVE-2023-1206 (IPv6 hash collision timing) and CVE-2024-49882 (cross-container data transfer via hugepage leaks). It includes tools for synchronization, data exfiltration, and analysis.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel 6.12 (with reintroduced vulnerabilities)
No auth needed
Prerequisites: Vulnerable kernel (6.12 with specific patches) · Hugepages enabled · Docker with IPv6 support
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References

Scores

CVSS v3 7.8
EPSS 0.0002
EPSS Percentile 4.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull postgres:15

Details

CWE
CWE-415
Status published
Products (30)
debian/debian_linux 11.0
linux/Kernel 3.7.0 - 4.19.323linux
linux/Kernel 4.20.0 - 5.4.285linux
linux/Kernel 5.11.0 - 5.15.168linux
linux/Kernel 5.16.0 - 6.1.113linux
linux/Kernel 5.5.0 - 5.10.227linux
linux/Kernel 6.11.0 - 6.11.3linux
linux/Kernel 6.2.0 - 6.6.55linux
linux/Kernel 6.7.0 - 6.10.14linux
Linux/Linux < 3.7
... and 20 more
Published Oct 21, 2024
Tracked Since Feb 18, 2026