AZL-51763

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-51763.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-51763

Upstream

CVE-2024-49960

Published

2024-10-21T18:15:17Z

Modified

2026-04-01T05:17:45.861191Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-49960 affecting package kernel for versions less than 5.15.182.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix timer use-after-free on failed mount

Syzbot has found an ODEBUG bug in ext4fillsuper

The deltimersync function cancels the serrreport timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi).

When filesystem mounting fails, the flow goes to failedmount3, where an error occurs when ext4stopmmpd is called, causing a read I/O failure. This triggers the ext4handleerror function that ultimately re-arms the timer, leaving the serr_report timer active before kfree(sbi) is called.

Fix the issue by canceling the serrreport timer after calling ext4stopmmpd.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-49960

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.182.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-51763.json"